Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy Authorization Languages.

Published byAllan Shutt Modified over 9 years ago

Similar presentations

Presentation on theme: "Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy Authorization Languages."— Presentation transcript:

1 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor http://lorrie.cranor.org/courses/fa05/ 1 Privacy Authorization Languages Week 7 - October 10, 12

2 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor http://lorrie.cranor.org/courses/fa05/ 2 Privacy languages serve many roles Specify organization’s privacy policy to end users and their agents Specify users’ privacy preferences to users’ agent Specify organization’s privacy policy to gatekeeper server that can approve or deny requests to access database Specify policy associated with particular data elements to parties that buy or rent data

3 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor http://lorrie.cranor.org/courses/fa05/ 3 Can one privacy language do it all? Maybe… But so far none have emerged We’ve found over a dozen privacy languages (including several access control and rule languages used for privacy applications) Languages have different audiences, specify policies at different levels of granularity, and have different strengths and weaknesses

4 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor http://lorrie.cranor.org/courses/fa05/ 4 User privacy preferences P3P 1.0 agents may (optionally) take action based on user preferences Users should not have to trust privacy defaults set by software vendors User agents that can read APPEL (A P3P Preference Exchange Language) files can offer users a number of canned choices developed by trusted organizations Preference editors allow users to adapt existing preferences to suit own tastes, or create new preferences from scratch For more info on APPEL see http://www.w3.org/TR/WD-P3P-preferences or Chapter 13 in Web Privacy with P3P

5 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor http://lorrie.cranor.org/courses/fa05/ 5 APPEL rule <appel:RULE behavior="limited" prompt="yes" description="Warning! Data may be shared."> Behavior - request - block - limited description connective - or - and - non-or - non-and - and-exact - or-exact pattern

6 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor http://lorrie.cranor.org/courses/fa05/ 6 What does this APPEL ruleset do? <appel:RULESET xmlns:appel="http://www.w3.org/2001/02/APPELv1" xmlns:p3p=http://www.w3.org/2000/12/P3Pv1 crtdby="Lorrie Cranor" >

7 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor http://lorrie.cranor.org/courses/fa05/ 7 APPEL question in HW7 What are your personal privacy preferences? a) First express them in English as a set of 3 to 5 rules. For example one rule might be "I don't want companies to share my data." If you can't capture all of your privacy preferences in 5 rules, just write down the 5 rules you consider most important. b) Translate your rules into P3P vocabulary elements (for example, the above rule would translate to "RECIPIENT=ours") c) Create an APPEL ruleset that represents your set of 3 to 5 privacy preference rules (plus a catch-all rule)

8 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor http://lorrie.cranor.org/courses/fa05/ 8 Microsoft privacy template language See Appendix D of Web Privacy with P3P http://msdn.microsoft.com/library/default.asp?url=/workshop/securi ty/privacy/overview/privacyimportxml.asp http://msdn.microsoft.com/library/default.asp?url=/workshop/securi ty/privacy/overview/privacyimportxml.asp Specifies rules for user agents to handle various types of cookies Based on P3P compact policy tokens Allows policies for specific web sites

9 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor http://lorrie.cranor.org/courses/fa05/ 9 Microsoft example <site domain="www.BlueYonderAirlines.com" action="accept">

10 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor http://lorrie.cranor.org/courses/fa05/ 10 EPAL Enterprise Privacy Authorization Language Developed by IBM, submitted to W3C Allows enterprises to develop granular rules to check whether data access is authorized Similar to P3P syntax but not identical Includes Data-categories User-categories - administrators, doctors, etc. Purposes Actions - disclose, read, etc. Obligations - delete after 30 days, get consent, etc. Conditions - user category = doctor Allow and deny rules http://www.w3.org/Submission/2003/SUBM-EPAL-20031110/

11 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor http://lorrie.cranor.org/courses/fa05/ 11 Announcements Bring laptop (with wireless card if possible) to class on Wednesday Project proposal due Oct 19 Homework 7/8 due Oct 26

12 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor http://lorrie.cranor.org/courses/fa05/ 12 Homework 4 Discussion http://lorrie.cranor.org/courses/fa05/hw4.html Privacy software reviews Why do sites use web bugs?

13 Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor http://lorrie.cranor.org/courses/fa05/ 13 Homework 5 Discussion http://lorrie.cranor.org/courses/fa05/hw5.html Similarities and differences of P3P user agents What did you like or dislike about them? Experience creating bank P3P policies

Download ppt "Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy Authorization Languages."

Similar presentations

Web Privacy with P3P Lorrie Faith Cranor P3P Specification Working Group Chair AT&T Labs-Research July 2002

Web Privacy with P3P Lorrie Faith Cranor P3P Specification Working Group Chair AT&T Labs-Research July 2002
DC2001, Tokyo DCMI Registry : Background and demonstration DC2001 Tokyo October 2001 Rachel Heery, UKOLN, University of Bath Harry Wagner, OCLC

DC2001, Tokyo DCMI Registry : Background and demonstration DC2001 Tokyo October 2001 Rachel Heery, UKOLN, University of Bath Harry Wagner, OCLC
Online Privacy A Module of the CYC Course – Personal Security 8-9-10.

Online Privacy A Module of the CYC Course – Personal Security
The creation of Yaolan.com A Site for Pre-natal and Parenting Education in Chinese by James Caldwell DAE Interactive Marketing a Web Connection Company.

The creation of "Yaolan.com" A Site for Pre-natal and Parenting Education in Chinese by James Caldwell DAE Interactive Marketing a Web Connection Company.
1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.

1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.
1 WSDL: Web Service Description Language Gary Sharp Mike Breakiron.

1 WSDL: Web Service Description Language Gary Sharp Mike Breakiron.
Asynchronous Web Services Jaliya N. Ekanayake. Basics of Web Services.

Asynchronous Web Services Jaliya N. Ekanayake. Basics of Web Services.
CS 5511 Introduction to WS Authorization Brian P. Barrett.

CS 5511 Introduction to WS Authorization Brian P. Barrett.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Elder L. Lionel Kendrick Of the First Quorum of the Seventy It has been from the beginning and it will be till the end that the natural man will have a.

Elder L. Lionel Kendrick Of the First Quorum of the Seventy It has been from the beginning and it will be till the end that the natural man will have a.
P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University.

P3P - Platform for Privacy Preference Barkha J. Herman Florida Atlantic University.
U.S. Department of Commerce Web Advisory Group Implementing Machine Readable Privacy Requirements of the E-Gov Act.

U.S. Department of Commerce Web Advisory Group Implementing Machine Readable Privacy Requirements of the E-Gov Act.
CASL Computer Programs Provisions and Challenges in Specific Vertical Sectors Michael Fekete (Osler) Howard Fohr (BlackBerry Limited) April 30, 2014.

CASL Computer Programs Provisions and Challenges in Specific Vertical Sectors Michael Fekete (Osler) Howard Fohr (BlackBerry Limited) April 30, 2014.
Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.

Andrea Eastman-Mullins Information & Technology Coordinator University of North Carolina, Office of the President Teaching and Learning with Technology.
P3P Implementation Tips : Observations for approaching Design, Build and Deploy PricewaterhouseCoopers Brendon Lynch.

P3P Implementation Tips : Observations for approaching Design, Build and Deploy PricewaterhouseCoopers Brendon Lynch.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research

Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
The Platform for Privacy Preferences Project (P3P) Lorrie Faith Cranor AT&T Labs-Research P3P Interest Group Co-Chair October 1998.

The Platform for Privacy Preferences Project (P3P) Lorrie Faith Cranor AT&T Labs-Research P3P Interest Group Co-Chair October 1998.
1 CS 502: Computing Methods for Digital Libraries Lecture 2 The Nomadic Computing Experiment Object Models.

1 CS 502: Computing Methods for Digital Libraries Lecture 2 The Nomadic Computing Experiment Object Models.
Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.

Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.

Similar presentations

Ads by Google