Enhancing Web Privacy Protection Through Declarative Policies

Slides:

Advertisements

Similar presentations

ROWLBAC – Representing Role Based Access Control in OWL

Advertisements

QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.

1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.

Semantic Web Thanks to folks at LAIT lab Sources include :

XML Technology in E-Commerce

CS570 Artificial Intelligence Semantic Web & Ontology 2

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy Authorization Languages.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research

The Platform for Privacy Preferences Project (P3P) Lorrie Faith Cranor AT&T Labs-Research P3P Interest Group Co-Chair October 1998.

Policy Description & Enforcement Languages Anis Yousefi

OASIS Reference Model for Service Oriented Architecture 1.0

Pranam Kolari – Policy 2005 Enhancing Web Privacy Protection Through Declarative Policies Pranam Kolari 1 Li Ding 1, Lalana Kagal 2, Shashi Ganjugunte.

Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.

W3C Finland Seminar: Semantic Web & Web Services© Kimmo RaatikainenMay 6, 2003 XML in Wireless World Kimmo Raatikainen University of Helsinki, Department.

P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.

Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.

BTW Information Annotation By Rudd Stevens, Jason Endo.

From SHIQ and RDF to OWL: The Making of a Web Ontology Language

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Privacy Policy.

International User Group Information Delivery Manuals: General Overview Courtesy:This presentation is based on material provided by AEC3 and AEC Infosystems.

1 of 30 Declarative Policies for Describing Web Service Capabilities and Constraints Lalana Kagal Tim Finin Anupam Joshi University of Maryland Baltimore.

Semantic Web Technologies Lecture # 2 Faculty of Computer Science, IBA.

Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy Preferences Edgardo Vega Usable Security – CS 6204 – Fall, 2009 – Dennis.

An OWL based schema for personal data protection policies Giles Hogben Joint Research Centre, European Commission.

Pranam Kolari – Policy 2005 Enhancing Web Privacy Protection Through Declarative Policies Pranam Kolari 1 Li Ding 1, Lalana Kagal 2, Shashi Ganjugunte.

An XPath-based Preference Language for P3P IBM Almaden Research Center Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu.

Intelligent Agents Meet the Semantic Web in Smart Spaces Harry Chen,Tim Finin, Anupam Joshi, and Lalana Kagal University of Maryland, Baltimore County.

Deploying Trust Policies on the Semantic Web Brian Matthews and Theo Dimitrakos.

The Semantic Web Service Shuying Wang Outline Semantic Web vision Core technologies XML, RDF, Ontology, Agent… Web services DAML-S.

SOUPA: Standard Ontology for Ubiquitous and Pervasive Applications Harry Chen, Filip Perich, Tim Finin, Anupam Joshi Department of Computer Science & Electrical.

INF 384 C, Spring 2009 Ontologies Knowledge representation to support computer reasoning.

Privacy, P3P and Internet Explorer 6 P3P Briefing – 11/16/01.

Integrated Development Environment for Policies Anjali B Shah Department of Computer Science and Electrical Engineering University of Maryland Baltimore.

1 WS-Privacy Paul Bui Ryan Dickey. 2 Agenda  WS-Privacy  Introduction to P3P  How P3P Works  P3P Details  A P3P Scenario  Conclusion  References.

Modeling  Conversation  Policies using Permissions  and  Obligations Lalana Kagal and Tim Finin University of Maryland, Baltimore County AAMAS Workshop.

Use of a P3P User Agent by Early Adopters Lorrie Faith Cranor Manjula Arjula Praven Guduru AT&T Labs November 2002.

Semantic Information Assurance for Distributed Knowledge Management A Business Process Perspective Presented By: Syed Asif Raza Suraj Bista

Rei and Rules Tim Finin, UMBC Lalana Kagal, MIT Tim Finin, UMBC Lalana Kagal, MIT.

© 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June © 2003 IBM Corporation Shortcomings.

1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.

Extending context models for privacy in pervasive computing environments Jadwiga Indulska The School of Information Technology and Electrical Engineering,

Trustworthy Semantic Webs Dr. Bhavani Thuraisingham The University of Texas at Dallas Introduction to the Course.

I2RS draft-rfernando-yang-mods.txt I2RS Yang Extensions draft-rfernando-yang-data-mods R.Fernando, P.Chinnakannan, M.Madhayyan, A.Clemm.

A Policy Based Approach to Security for the Semantic Web Lalana Kagal, Tim Finin and Anupam Joshi.

Introduction to Semantic Web Service Architecture ► The vision of the Semantic Web ► Ontologies as the basic building block ► Semantic Web Service Architecture.

Trustworthy Semantic Webs Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Vision for Semantic Web.

1 Device Descriptions and User Profiles 인공지능연구실 정홍석.

Computational Policies in a Need to Share Environment Tim Finin University of Maryland, Baltimore County SemGrail workshop, Redmond WA, 21 June 2007.

ShareNet Integrating Trust and Privacy policy Li Ding.

1 Nov. 2, 2005 Design and Application of Rule Based Access Control Policies Huiying Li, Xiang Zhang, Honghan Wu & Yuzhong Qu Dept. Computer.

1 T. Hill Review of: ROWLBAC – Representing Role Based Access Control in OWL T. Finin, A. Joshi L. Kagal, B. Thuraisingham, J. Niu, R. Sandhu, W. Winsborough.

NSF Cyber Trust Annual Principal Investigator Meeting September 2005 Newport Beach, California UMBC an Honors University in Maryland Trust and Security.

RDFa Primer Bridging the Human and Data webs Presented by: Didit ( )

Selected Semantic Web UMBC CoBrA – Context Broker Architecture  Using OWL to define ontologies for context modeling and reasoning  Taking.

Semantic Interoperability in GIS N. L. Sarda Suman Somavarapu.

CMPE 494 Service-Oriented Architectures and Web Services Platform for Privacy Preferences Project (P3P) İDRİS YILDIZ

Anupam Joshi University of Maryland, Baltimore County Joint work with Tim Finin and several students Computational/Declarative Policies.

OWL (Ontology Web Language and Applications) Maw-Sheng Horng Department of Mathematics and Information Education National Taipei University of Education.

Web Ontology Language for Service (OWL-S)

Web Services for Semantic Interoperability and Integration

Policies for Autonomy in Open Distributed Systems

Semantic Web UMBC Dr. Yelena Yesha Semantic Web UMBC IBM RTP.

Database Systems Instructor Name: Lecture-3.

On Parametric Obligation Policies: Enabling Privacy-aware Information Lifecycle Management in Enterprises IEEE Policy Workshop 2007 Marco Casassa Mont.

Groups and Permissions

The Platform for Privacy Preferences Project

Presentation transcript:

Enhancing Web Privacy Protection Through Declarative Policies Pranam Kolari1 Li Ding1, Lalana Kagal2, Shashi Ganjugunte1, Anupam Joshi1, Tim Finin1 1 2 Pranam Kolari – Policy 2005

Outline Web Privacy P3P/APPEL Motivation and Problem Description User Trust Rei Policy Language System Design Privacy Policy Specification Conclusion Pranam Kolari – Policy 2005

Cathy on the Web Source : Cathy Guisewite via Lorrie Cranor Pranam Kolari – Policy 2005

Cathy on the Web Source : Cathy Guisewite via Lorrie Cranor Pranam Kolari – Policy 2005 Source : Cathy Guisewite via Lorrie Cranor

P3P – The current solution P3P is Platform for Privacy Preferences Protocols and specification languages P3P Schema for Websites APPEL Schema for Clients Pranam Kolari – Policy 2005

P3P Sample Policy Site’s name and contact info Access disclosure Statement Human-readable explanation How data may be used Data recipients Data retention policy Types of data collected <POLICIES xmlns="http://www.w3.org/2002/01/P3Pv1"> <POLICY discuri="http://p3pbook.com/privacy.html" name="policy"> <ENTITY> <DATA-GROUP> <DATA ref="#business.contact-info.online.email">privacy@p3pbook.com </DATA> ref="#business.contact-info.online.uri">http://p3pbook.com/ <DATA ref="#business.name">Web Privacy With P3P</DATA> </DATA-GROUP> </ENTITY> <ACCESS><nonident/></ACCESS> <STATEMENT> <CONSEQUENCE>We keep standard web server logs.</CONSEQUENCE> <PURPOSE><admin/><current/><develop/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><indefinitely/></RETENTION> <DATA ref="#dynamic.clickstream"/> <DATA ref="#dynamic.http"/> </STATEMENT> </POLICY> </POLICIES> Pranam Kolari – Policy 2005 Slide Courtesy: Lorrie Cranor

APPEL APPEL is A P3P Preference Exchange Language (W3C working draft in April 2002) Website P3P Policy APPEL User Preference <RULESET> <RULE behavior=“request”> <POLICY> <STATEMENT> <PURPOSE><individual-decision/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> </STATEMENT> </POLICY> </RULE> … </RULESET> … <STATEMENT> <PURPOSE>< individual-decision /></PURPOSE> <RECIPIENT><ours/></RECIPIENT> </STATEMENT> Pranam Kolari – Policy 2005

The problem … Pranam Kolari – Policy 2005

Trusting Websites 56% of consumers don’t believe businesses keep promises 63% believe independent verification is important 62% believe existing laws and organizational practices are insufficient Consumer Confidence Trust website policies Distrust website policies Source : (Ernst and Young report 2004) Pranam Kolari – Policy 2005

Existing Mechanisms A4Proxy Pranam Kolari – Policy 2005

P3P/XPref APPEL User Preference Website P3P Policy <RULESET> <RULE behavior=“request”> <POLICY> <STATEMENT> <PURPOSE><individual-decision/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> </STATEMENT> </POLICY> </RULE> … </RULESET> … <STATEMENT> <PURPOSE>< individual-decision /></PURPOSE> <RECIPIENT><ours/></RECIPIENT> </STATEMENT> <PURPOSE>< telemarketing /></PURPOSE> <RECIPIENT><third-party/></RECIPIENT> <RULESET> <RULE behavior=“request” condition=“/POLICY[ every $pname in STATEMENT/PURPOSE/* satisfies name($panme)=“individual-decision” and every $rname in STATEMENT/RECIPIENT/* satisfies name($rname)= “ours” ]”/> <RULE behavior=“block” condition=“true”/> </RULESET> XPref User Preference Pranam Kolari – Policy 2005

Low P3P Adoption Pranam Kolari – Policy 2005

Problem Description P3P policies published by websites not trusted by users Low P3P adoption impedes client adoption by users The languages available to describe user privacy preferences are not sufficiently expressive P3P framework does not provide a coherent view of available privacy protection mechanisms to the user Pranam Kolari – Policy 2005

Our approach … Pranam Kolari – Policy 2005

Social Recommendations (1, 2) Note: Superscripts signify problem being addressed Pranam Kolari – Policy 2005

Website Evaluation Ontology (1, 2) Modeling User Perspective of Trust Populating ontology with instance data BizRate Services for users to explicitly specify preferences Share using existing social network mechanisms (Ding 2003) Website Evaluation Ontology www.slashdot.org popularity serviceType 9 DiscussionGroup hasP3P owner URI OSDN hasPrivacyCertifier isBasedOutOf USA -- hasTextPolicy domainSuffix URI org OSDN US policySimilarTo lawEnforcedBy Yes hasPolicyEnforcement Pranam Kolari – Policy 2005

Rei Policy Language (3)(4) Rei, a policy specification language developed by Lalana Kagal at UMBC (lkagal 2003) Encoded in (1) Prolog, (2) OWL Models deontic concepts of permissions, prohibitions, obligations and dispensations Uses meta policies for conflict resolution Uses speech acts for dynamic policy modification We used it as a policy specification language RDF specification capability (matches that of P3P) Dynamic Policies as future extension to our work Pranam Kolari – Policy 2005 Part content Courtesy: Lalana Kagal

Rei Policy Language (3)(4) actor, target Entity DeonticObject to action deontic grants Policy Granting Action precondition, effect requirement SpeechAct DomainAction context Constraint Boolean Simple Pranam Kolari – Policy 2005

Rei Policy Modeling (1)(2)(3)(4) Two actors Website Web browser Multiple context P3P RDF published by websites User Context Trust Recommendations Multiple actions with priorities Right, Prohibition, Obligation* Pranam Kolari – Policy 2005 *(not enforced)

System Design (1)(2)(3)(4) Key Points Web Sites optionally publish P3P policies Clients specify privacy preferences using a policy language - Rei Privacy Expert is the privacy enhancement enabler by binding together entities of the system Rei Engine evaluates policies of users against website attributes Website Recommender Network propagates and builds a model of websites based on reputation FOAF – Enables the creation of the website recommender network 1 Web Server publish (optionally) Website Recommender Network P3P Policy Ontologies, Trust rules Personal agents XSLT Transformer 5 3 Rei Engine Privacy Expert 4 JRC Privacy Proxy* 6 FOAF Rei Privacy Policy (RDF based, enhancements over APPEL) Trusted Agent Network# Clients publish 2 # FOAF, Golbeck, Li ideas of Trust Pranam Kolari – Policy 2005

Example Policy [1] - Template <policy:Policy rdf:about="&wwwpolicy;comprehensive“ policy:desc="Sample policy"> <policy:grants rdf:resource="&wwwpolicy;grantingPermission" /> .. </policy:Policy> <!– Granting Objects --> <policy:Granting rdf:about="&wwwpolicy;grantingPermission"> <policy:desc>Current policy allows access to a website</policy:desc> <policy:to rdf:resource="&wwwpolicy;var1"/> <policy:deontic rdf:resource="&wwwpolicy;right1"/> </policy:Granting> … <!– Deontic Objects --> <deontic:Permission rdf:about="&wwwpolicy;right1"> <deontic:actor rdf:resource="&wwwpolicy;var1"/> <deontic:action rdf:resource="&wwwpolicy;request"/> <deontic:constraint rdf:resource="&wwwpolicy;complexconstraint" /> </deontic:Permission> Policy Rule Rule Desc. Rule Actor Rule Action Policy Constraint Pranam Kolari – Policy 2005

Example Policy [1] - Constraints <constraint:SimpleConstraint rdf:about=“&wwwpolicy;domainOfServiceConstraint” constraint:subject =“&wwwpolicy;var1” constraint:predicate=“&wwwpolicy;domainOfServiceConstraint” constraint:object=“&weo;travel” /> <constraint:SimpleConstraint rdf:about=“&wwwpolicy;trustedDomainGOVconstraint” constraint:predicate=“&weo;domainSuffix” constraint:object=“&weo;gov” /> … <constraint:Or rdf:about=“&wwwpolicy;complexconstraint”> <constraint:first rdf:resource=“&wwwpolicy;trustedDomainGOVconstraint” /> <constraint:second rdf:resource=“&wwwpolicy;domainOfServiceConstraint” /> </constraint:Or> Policy Constraint Policy Constraint Pranam Kolari – Policy 2005

Example Policy [2] - Obligation <policy:Policy rdf:about="&wwwpolicy;obligationexample" <policy:grants rdf:resource="&wwwpolicy;grantingRight" /> <policy:grants rdf:resource="&wwwpolicy;grantingObligation"/> … </policy:Policy> <policy:Granting rdf:about="&wwwpolicy;grantingRight"> <policy:deontic rdf:resource="&wwwpolicy;right1"/> </policy:Granting> <policy:Granting rdf:about="&wwwpolicy;grantingObligation"> <policy:to rdf:resource="&wwwpolicy;webbrowser"/> <policy:deontic rdf:resource="&wwwpolicy;obligation1"/> .. <deontic:Permission rdf:about="&wwwpolicy;right1"> <deontic:actor rdf:resource="&wwwpolicy;website"/> <deontic:action rdf:resource="&wwwpolicy;request"/> </deontic:Permission> <deontic:Obligation rdf:about="&wwwpolicy;obligation1"> <deontic:actor rdf:resource="&wwwpolicy;webbrowser"/> <deontic:action rdf:resource="&wwwpolicy;tunnelRequest"/> </deontic:Obligation> Right Obligation Pranam Kolari – Policy 2005

Example Policy [3] - Priority <policy:Policy rdf:about="&wwwpolicy;rulepriorityexample“> <policy:defaultModality rdf:resource=”&metapolicy;NegativeModalityPrecedence/> <policy:grants rdf:resource="&wwwpolicy;grantingRight1" /> <policy:grants rdf:resource="&wwwpolicy;grantingRight2" /> <policy:grants rdf:resource="&wwwpolicy;grantingProhibition" /> <metapolicy:rulePriority rdf:resource="&wwwpolicy;rulepriority1"/> … </policy:Policy> <metapolicy:RulePriority rdf:about=“&wwwpolicy;rulepriority1”> <metapolicy:ruleOfGreaterPriority rdf:resource=“&wwwpolicy;grantingRight1” /> <metapolicy:ruleOfLesserPriority rdf:resource=“&wwwpolicy;grantingProhibition” /> </metapolicy:RulePriority> Default Rules Explicit Pranam Kolari – Policy 2005

Closing Remarks Evaluation of trust based recommender systems Web browser adopting enhanced framework E-mail clients with FOAF based spam filtering Policy Engines User Context Manager Ontologies from the Semantic Web Development of common shared ontologies for user trust and context – FOAF, SOUPA Pranam Kolari – Policy 2005

Conclusion The utility of an existing policy language in a highly complex policy engineering domain Policy engineering and enforcement in Web Privacy offers many challenges Enforcing Obligations Engineering Delegation Logic using Speech Acts and subsequent enforcement Pranam Kolari – Policy 2005

Questions ?? Paper and Presentation Available at: http://ebiquity.umbc.edu/v2.1/paper/html/id/213/ Pranam Kolari – Policy 2005