Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005

Outline Introduction Overview of P3P Current P3P implementations Server-centric implementation Algorithms Results of performance experiments Conclusion and future work

Introduction Platform for Privacy Preferences(P3P) –web users gain control over their private information –web site owners can express their privacy policies in a standard format –a user can programmatically check against her privacy preferences to decide whether to release her data to the web site P3P became a W3C Recommendation on April 16, 2002

Overview of P3P Privacy Policies: –An XML format in which a web site can encode its data-collection and data-use practices Privacy Preferences: –A machine-readable specification of a user’s preferences that can be programmatically compared against a privacy policy Detailed information:

P3P Policy Description P3P policies are described as a sequence of STATEMENT elements. –CONSEQUENCE: the purpose for collecting information in human-readable text –PURPOSE: purposes for which information is collected. 12 predefined values. Ex:,, –RECIPIENT: the users of the collected information 6 predefined values. Ex:,, Opt-in or opt-out values can be assign to the required attribute of PURPOSE and RECIPIENT elements

P3P Policy Description (Cont.) –RETENTION: the duration for which the collected information will be kept 5 predefined values Ex:,, –DATA-GROUP and DATA: the list of individual data items that are collected for stated purposes in the statement. predefined types of data items DATA can contain related category information. –CATEGORIES: provide hints to users as to the intended uses of the data. Ex:,,

An Example Policy

Privacy Preferences Privacy preferences are expressed in APPEL as a list of RULEs –Rule behavior: specifies the action to be taken if the rule fires. request, block –Rule body: Provides the pattern that is matched against a policy.

Privacy Preferences (Cont.) Connective attribute: defines the logical operators of the language. –And (default): all of the contained expressions can be found in the policy –Or : one or more of the contained expressions can be found in the policy –And-exact –Or-exact –Non-and (negated and) –Non-or (negated or) Every element in an APPEL rule has a connective associated with it.

An Example APPEL Preference

The Reference File A site may have multiple privacy policy for different web pages, which may offer various services. A site’s reference file assigns individual policies with subsets of the URIs. In the reference file, each policy has a set of INCLUDE/EXCLUDE declarations of the URIs. /* /catalog/* /cgi-bin/* /servlet/* /catalog/* /cgi-bin/* /servlet/* /servlet/unknown

Current P3P Implementation Client-Centric Architecture –Web sites create and install policy files at their sites. P3PEdit: a web-based privacy policy generator IBM Tivoli Privacy Wizard: a web-based GUI tool to define privacy policies –The users browse a web site, their preferences are checked against a site’s policy before they access the sit.

Client-Centric Architecture Implementation IE6 implementation of Compact P3P policies –IE6 allows a user to specify her privacy preference for handling cookies AT&T Privacy Bird –It accepts user-defined APPEL privacy preference –An APPEL engine compares a user’s APPEL preference with a web site’s P3P policy Other Tools –JRC APPEL Preference Editor: a Java-based editor for preparing APPEL preferences. –JRC P3P Proxy: a centralized proxy service that conducts P3P privacy policy checking on behalf of subscribed users

Server-Centric Architecture A website deploys P3P, and installs its privacy policies in a database system Database querying at the server is used for matching a user’s preferences against privacy policies –Convert privacy policies into relational tables and convert an APPEL preference into an SQL query for matching. –Store privacy policies in relational tables, define an XML view over them, and use an XQuery derived from an APPEL preference for matching. –Store privacy policies in a native XML store and use an XQuery derived from an APPEL preference for matching.

Server-Centric Architecture (Cont.) Advantages –The preference checking at the server leads to lean clients (mobile device) –An upgrade in P3P specification only require an upgrade in all the servers –As new privacy-sensitive applications emerge, they will reuse checking done at the server –Site owner can refine their policies, when they know that policies have a conflict with the users’ privacy preferences –Using databases for preference matching yields additional advantages The privacy data tables can serve as meta data for ensuring that polices are followed Can reuse the proven database technology for checking preferences against policies. Versions of policies can be better managed

Server-Centric Architecture (Cont.) Disadvantages –There needs to be a greater amount of trust on the server The user has to trust the server The user has to trust the database software used by the server –By using Client-Centric to cache a reference file, the client may avoid some checks, if a user visits many pages that are governed by the same policy

Algorithms for Server-Centric Implementation Database Schema for P3P policy Populate the tables with the data

Algorithms for Server-Centric Implementation (Cont.) Translating APPEL Preferences into SQL Queries –The main() mirrors the structure of the APPEL rule. –The match() generates the SQL code for matching an APPEL expression Select elements in the P3P policy from the table Ensure that the elements belong to their parent elements Match any attributes specified in the APPEL expression Recursively match any sub expressions with the appropriate connective.

Optimizations Reduce the number of tables in order to reduce the number of joins in the generated SQL queries –Store P3P subelements in their parent table, not in separate tables. –Store the value of RETENTION in STATEMENT table, since each STATEMENT can have only one RETENTION element. –Store the value of CONSEQUENCE in a nullable column in STATEMENT table.

Translation Example Simplified First Rule from Jane’s APPEL preference SQL Translation

Algorithms for Server-Centric Implementation (Cont.) Translating APPEL Preferences into XQuery –The main() generates an XQuery if statement Return the rule behavior if the condition expressed by the rule is met by the application policy –The match() translates the body of the rule

Performance Experiments Measure the time to match a P3P policy with an APPEL Preference –Experimental Setup A native APPEL engine from the Joint Research Center DB2 UDB 7.2 as a database engine Translating APPEL preference into XQuery, use the XTABLE prototype –Data Set 29 P3P policies (size from 1.6 to 11.9 Kbytes) 5 APPEL preference with 5 different levels of sensitivity

Performance Results

Conclusion and Future work Contributions of the paper –Identification of P3P as an important application area for database systems. –Investigation of alternative architectures for implementing P3P. –Proposal for a server-centric architecture based on database querying technology. –Mapping of a P3P policy schema into a relational schema for storing policy data. –Algorithms for translating privacy preferences expressed in APPEL into SQL as well as XQuery. –Performance experiments showing that the proposed architecture has adequate performance for it to be used in practical deployments of P3P. Future work Explore the use of database query languages for directly expressing and representing privacy preference Identify the minimal subset of SQL and XQuery Develop and implement database mechanisms for ensuring that the privacy policies are indeed being followed

Questions and Discussions