Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enhancing Web Privacy Protection Through Declarative Policies

Published byแก้วเก้า ติณสูลานนท์ Modified over 5 years ago

Similar presentations

Presentation on theme: "Enhancing Web Privacy Protection Through Declarative Policies"— Presentation transcript:

1 Enhancing Web Privacy Protection Through Declarative Policies
Pranam Kolari1 Li Ding1, Lalana Kagal2, Shashi Ganjugunte1, Anupam Joshi1, Tim Finin1 1 2 Pranam Kolari – Policy 2005

2 Outline Web Privacy P3P/APPEL Motivation and Problem Description
User Trust Rei Policy Language System Design Privacy Policy Specification Conclusion Pranam Kolari – Policy 2005

3 Cathy on the Web Source : Cathy Guisewite via Lorrie Cranor
Pranam Kolari – Policy 2005

4 Cathy on the Web Source : Cathy Guisewite via Lorrie Cranor
Pranam Kolari – Policy 2005 Source : Cathy Guisewite via Lorrie Cranor

5 P3P – The current solution
P3P is Platform for Privacy Preferences Protocols and specification languages P3P Schema for Websites APPEL Schema for Clients Pranam Kolari – Policy 2005

6 P3P Sample Policy Site’s name and contact info Access disclosure Statement Human-readable explanation How data may be used Data recipients Data retention policy Types of data collected <POLICIES xmlns=" <POLICY discuri=" name="policy"> <ENTITY> <DATA-GROUP> <DATA </DATA> ref="#business.contact-info.online.uri"> <DATA ref="#business.name">Web Privacy With P3P</DATA> </DATA-GROUP> </ENTITY> <ACCESS><nonident/></ACCESS> <STATEMENT> <CONSEQUENCE>We keep standard web server logs.</CONSEQUENCE> <PURPOSE><admin/><current/><develop/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> <RETENTION><indefinitely/></RETENTION> <DATA ref="#dynamic.clickstream"/> <DATA ref="#dynamic.http"/> </STATEMENT> </POLICY> </POLICIES> Pranam Kolari – Policy 2005 Slide Courtesy: Lorrie Cranor

7 APPEL APPEL is A P3P Preference Exchange Language (W3C working draft in April 2002) Website P3P Policy APPEL User Preference <RULESET> <RULE behavior=“request”> <POLICY> <STATEMENT> <PURPOSE><individual-decision/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> </STATEMENT> </POLICY> </RULE> </RULESET> <STATEMENT> <PURPOSE>< individual-decision /></PURPOSE> <RECIPIENT><ours/></RECIPIENT> </STATEMENT> Pranam Kolari – Policy 2005

8 The problem … Pranam Kolari – Policy 2005

9 Trusting Websites 56% of consumers don’t believe businesses keep promises 63% believe independent verification is important 62% believe existing laws and organizational practices are insufficient Consumer Confidence Trust website policies Distrust website policies Source : (Ernst and Young report 2004) Pranam Kolari – Policy 2005

10 Existing Mechanisms A4Proxy Pranam Kolari – Policy 2005

11 P3P/XPref APPEL User Preference Website P3P Policy
<RULESET> <RULE behavior=“request”> <POLICY> <STATEMENT> <PURPOSE><individual-decision/></PURPOSE> <RECIPIENT><ours/></RECIPIENT> </STATEMENT> </POLICY> </RULE> </RULESET> <STATEMENT> <PURPOSE>< individual-decision /></PURPOSE> <RECIPIENT><ours/></RECIPIENT> </STATEMENT> <PURPOSE>< telemarketing /></PURPOSE> <RECIPIENT><third-party/></RECIPIENT> <RULESET> <RULE behavior=“request” condition=“/POLICY[ every $pname in STATEMENT/PURPOSE/* satisfies name($panme)=“individual-decision” and every $rname in STATEMENT/RECIPIENT/* satisfies name($rname)= “ours” ]”/> <RULE behavior=“block” condition=“true”/> </RULESET> XPref User Preference Pranam Kolari – Policy 2005

12 Low P3P Adoption Pranam Kolari – Policy 2005

13 Problem Description P3P policies published by websites not trusted by users Low P3P adoption impedes client adoption by users The languages available to describe user privacy preferences are not sufficiently expressive P3P framework does not provide a coherent view of available privacy protection mechanisms to the user Pranam Kolari – Policy 2005

14 Our approach … Pranam Kolari – Policy 2005

15 Social Recommendations (1, 2)
Note: Superscripts signify problem being addressed Pranam Kolari – Policy 2005

16 Website Evaluation Ontology (1, 2)
Modeling User Perspective of Trust Populating ontology with instance data BizRate Services for users to explicitly specify preferences Share using existing social network mechanisms (Ding 2003) Website Evaluation Ontology popularity serviceType 9 DiscussionGroup hasP3P owner URI OSDN hasPrivacyCertifier isBasedOutOf USA -- hasTextPolicy domainSuffix URI org OSDN US policySimilarTo lawEnforcedBy Yes hasPolicyEnforcement Pranam Kolari – Policy 2005

17 Rei Policy Language (3)(4)
Rei, a policy specification language developed by Lalana Kagal at UMBC (lkagal 2003) Encoded in (1) Prolog, (2) OWL Models deontic concepts of permissions, prohibitions, obligations and dispensations Uses meta policies for conflict resolution Uses speech acts for dynamic policy modification We used it as a policy specification language RDF specification capability (matches that of P3P) Dynamic Policies as future extension to our work Pranam Kolari – Policy 2005 Part content Courtesy: Lalana Kagal

18 Rei Policy Language (3)(4)
actor, target Entity DeonticObject to action deontic grants Policy Granting Action precondition, effect requirement SpeechAct DomainAction context Constraint Boolean Simple Pranam Kolari – Policy 2005

19 Rei Policy Modeling (1)(2)(3)(4)
Two actors Website Web browser Multiple context P3P RDF published by websites User Context Trust Recommendations Multiple actions with priorities Right, Prohibition, Obligation* Pranam Kolari – Policy 2005 *(not enforced)

20 System Design (1)(2)(3)(4)
Key Points Web Sites optionally publish P3P policies Clients specify privacy preferences using a policy language - Rei Privacy Expert is the privacy enhancement enabler by binding together entities of the system Rei Engine evaluates policies of users against website attributes Website Recommender Network propagates and builds a model of websites based on reputation FOAF – Enables the creation of the website recommender network 1 Web Server publish (optionally) Website Recommender Network P3P Policy Ontologies, Trust rules Personal agents XSLT Transformer 5 3 Rei Engine Privacy Expert 4 JRC Privacy Proxy* 6 FOAF Rei Privacy Policy (RDF based, enhancements over APPEL) Trusted Agent Network# Clients publish 2 # FOAF, Golbeck, Li ideas of Trust Pranam Kolari – Policy 2005

21 Example Policy [1] - Template
<policy:Policy rdf:about="&wwwpolicy;comprehensive“ policy:desc="Sample policy"> <policy:grants rdf:resource="&wwwpolicy;grantingPermission" /> .. </policy:Policy> <!– Granting Objects --> <policy:Granting rdf:about="&wwwpolicy;grantingPermission"> <policy:desc>Current policy allows access to a website</policy:desc> <policy:to rdf:resource="&wwwpolicy;var1"/> <policy:deontic rdf:resource="&wwwpolicy;right1"/> </policy:Granting> <!– Deontic Objects --> <deontic:Permission rdf:about="&wwwpolicy;right1"> <deontic:actor rdf:resource="&wwwpolicy;var1"/> <deontic:action rdf:resource="&wwwpolicy;request"/> <deontic:constraint rdf:resource="&wwwpolicy;complexconstraint" /> </deontic:Permission> Policy Rule Rule Desc. Rule Actor Rule Action Policy Constraint Pranam Kolari – Policy 2005

22 Example Policy [1] - Constraints
<constraint:SimpleConstraint rdf:about=“&wwwpolicy;domainOfServiceConstraint” constraint:subject =“&wwwpolicy;var1” constraint:predicate=“&wwwpolicy;domainOfServiceConstraint” constraint:object=“&weo;travel” /> <constraint:SimpleConstraint rdf:about=“&wwwpolicy;trustedDomainGOVconstraint” constraint:predicate=“&weo;domainSuffix” constraint:object=“&weo;gov” /> <constraint:Or rdf:about=“&wwwpolicy;complexconstraint”> <constraint:first rdf:resource=“&wwwpolicy;trustedDomainGOVconstraint” /> <constraint:second rdf:resource=“&wwwpolicy;domainOfServiceConstraint” /> </constraint:Or> Policy Constraint Policy Constraint Pranam Kolari – Policy 2005

23 Example Policy [2] - Obligation
<policy:Policy rdf:about="&wwwpolicy;obligationexample" <policy:grants rdf:resource="&wwwpolicy;grantingRight" /> <policy:grants rdf:resource="&wwwpolicy;grantingObligation"/> </policy:Policy> <policy:Granting rdf:about="&wwwpolicy;grantingRight"> <policy:deontic rdf:resource="&wwwpolicy;right1"/> </policy:Granting> <policy:Granting rdf:about="&wwwpolicy;grantingObligation"> <policy:to rdf:resource="&wwwpolicy;webbrowser"/> <policy:deontic rdf:resource="&wwwpolicy;obligation1"/> .. <deontic:Permission rdf:about="&wwwpolicy;right1"> <deontic:actor rdf:resource="&wwwpolicy;website"/> <deontic:action rdf:resource="&wwwpolicy;request"/> </deontic:Permission> <deontic:Obligation rdf:about="&wwwpolicy;obligation1"> <deontic:actor rdf:resource="&wwwpolicy;webbrowser"/> <deontic:action rdf:resource="&wwwpolicy;tunnelRequest"/> </deontic:Obligation> Right Obligation Pranam Kolari – Policy 2005

24 Example Policy [3] - Priority
<policy:Policy rdf:about="&wwwpolicy;rulepriorityexample“> <policy:defaultModality rdf:resource=”&metapolicy;NegativeModalityPrecedence/> <policy:grants rdf:resource="&wwwpolicy;grantingRight1" /> <policy:grants rdf:resource="&wwwpolicy;grantingRight2" /> <policy:grants rdf:resource="&wwwpolicy;grantingProhibition" /> <metapolicy:rulePriority rdf:resource="&wwwpolicy;rulepriority1"/> </policy:Policy> <metapolicy:RulePriority rdf:about=“&wwwpolicy;rulepriority1”> <metapolicy:ruleOfGreaterPriority rdf:resource=“&wwwpolicy;grantingRight1” /> <metapolicy:ruleOfLesserPriority rdf:resource=“&wwwpolicy;grantingProhibition” /> </metapolicy:RulePriority> Default Rules Explicit Pranam Kolari – Policy 2005

25 Closing Remarks Evaluation of trust based recommender systems
Web browser adopting enhanced framework clients with FOAF based spam filtering Policy Engines User Context Manager Ontologies from the Semantic Web Development of common shared ontologies for user trust and context – FOAF, SOUPA Pranam Kolari – Policy 2005

26 Conclusion The utility of an existing policy language in a highly complex policy engineering domain Policy engineering and enforcement in Web Privacy offers many challenges Enforcing Obligations Engineering Delegation Logic using Speech Acts and subsequent enforcement Pranam Kolari – Policy 2005

27 Questions ?? Paper and Presentation Available at:
Pranam Kolari – Policy 2005

Download ppt "Enhancing Web Privacy Protection Through Declarative Policies"

Similar presentations

ROWLBAC – Representing Role Based Access Control in OWL

ROWLBAC – Representing Role Based Access Control in OWL
QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.

QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.
1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.

1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.
Semantic Web Thanks to folks at LAIT lab Sources include :

Semantic Web Thanks to folks at LAIT lab Sources include :
XML Technology in E-Commerce

XML Technology in E-Commerce
CS570 Artificial Intelligence Semantic Web & Ontology 2

CS570 Artificial Intelligence Semantic Web & Ontology 2
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy Authorization Languages.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy Authorization Languages.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research

Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
The Platform for Privacy Preferences Project (P3P) Lorrie Faith Cranor AT&T Labs-Research P3P Interest Group Co-Chair October 1998.

The Platform for Privacy Preferences Project (P3P) Lorrie Faith Cranor AT&T Labs-Research P3P Interest Group Co-Chair October 1998.
Policy Description & Enforcement Languages Anis Yousefi

Policy Description & Enforcement Languages Anis Yousefi
OASIS Reference Model for Service Oriented Architecture 1.0

OASIS Reference Model for Service Oriented Architecture 1.0
Pranam Kolari – Policy 2005 Enhancing Web Privacy Protection Through Declarative Policies Pranam Kolari 1 Li Ding 1, Lalana Kagal 2, Shashi Ganjugunte.

Pranam Kolari – Policy 2005 Enhancing Web Privacy Protection Through Declarative Policies Pranam Kolari 1 Li Ding 1, Lalana Kagal 2, Shashi Ganjugunte.
Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.

Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.
W3C Finland Seminar: Semantic Web & Web Services© Kimmo RaatikainenMay 6, 2003 XML in Wireless World Kimmo Raatikainen University of Helsinki, Department.

W3C Finland Seminar: Semantic Web & Web Services© Kimmo RaatikainenMay 6, 2003 XML in Wireless World Kimmo Raatikainen University of Helsinki, Department.
P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.

P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.
Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.

Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.
BTW Information Annotation By Rudd Stevens, Jason Endo.

BTW Information Annotation By Rudd Stevens, Jason Endo.
From SHIQ and RDF to OWL: The Making of a Web Ontology Language

From SHIQ and RDF to OWL: The Making of a Web Ontology Language
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Privacy Policy.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2007 Lorrie Cranor 1 Privacy Policy.

Similar presentations

Ads by Google