An XPath-based Preference Language for P3P IBM Almaden Research Center Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu

Growing Concern about Privacy “Privacy #1 issue in the 21Century” -Wall Street Journal, January 24, 2000 The issues of trust, privacy and security are generally believed to be the greatest barriers to widespread use of the Internet for commercial purposes.

What is P3P Current privacy policies are written by the lawyers, for the lawyers Current privacy policies are written by the lawyers, for the lawyers P3P solves this problem. P3P solves this problem. –Encodes policies in machine readable format (XML). –Goal: programatically match privacy policies with user preferences. –W3C recommendation (April 2002) Need preference language to make this work! Need preference language to make this work! –APPEL: W3C Draft –Unfortunately …

Outline Motivation Motivation Problems with APPEL Problems with APPEL Can these problems be fixed? Can these problems be fixed? An XPath-based preference language An XPath-based preference language Conclusion Conclusion

Context: P3P Policies......

Jack’s Simple Preference Only purposes “current” and “pseudo-analysis” are acceptable. Only purposes “current” and “pseudo-analysis” are acceptable. Will use this example to illustrate the problems with APPEL. Will use this example to illustrate the problems with APPEL.

Jack’s First Attempt The APPEL engine evaluates rule in order until one fires APPEL preferences are organized as a list of rules

Jack’s First Attempt Rule head: Specifies the outcome of the rule (request or block) Rule body: Specifies the structure and content of matching policies

Jack’s First Attempt Strictly access sites which collect personal information for purposes “current” and “pseudo-analysis” Logical connectives: Govern matching of subelements

Problem: Policies with Multiple Statements … … … … … … This statement will match, and the policy will be accepted. This statement (tele-marketing) is exactly what Jack tried to avoid by putting “or-exact” in purpose! Problem: A policy can have multiple statements, some of which may violate the user’s preference

Jack’s Second Attempt … … … … Use “and-exact” to ensure that each statement in the policy satisfies the condition Problem: The connective applies to the subelements of a STATEMENT, not to all statements in a policy

Jack’s Second Attempt … … … … Use “and-exact” to ensure that each statement in the policy satisfies the condition

Problem: POLICY has Multiple Subelements … … … … … … … Problem: POLICY has other subelements aside from STATEMENT

Key Point: Cannot Specify What is Acceptable … … … … … … … … There is no STATEMENTS tag in P3P (which could be used to specify a logical connective)

Jack spends quality time with the manuals … … figures out he can convert his preference into specifying what is unacceptable. … figures out he can convert his preference into specifying what is unacceptable.

Jack’s Third Attempt Convert positive preferences into negative preferences Note: Must enumerate all unacceptable purposes Problem: Does not block web sites that use extensions

How about a slightly more complex preference? Purposes “current” and “pseudo-analysis” are acceptable Purpose “individual-analysis” is also acceptable provided the recipient is “ours”

Negating Logical Expressions… First, have to negate the expression (since we can’t specify what is acceptable). First, have to negate the expression (since we can’t specify what is acceptable). –Forall (current OR … OR ( … AND … ) => accept Becomes: Becomes: –Exists !(current AND … and ( … OR … ) => block

Parse Tree of Expression Or And Purpose = “current” Purpose = “pseudo-analysis” Purpose = “individual-analysis” Recipient = “ours”

Negated Parse Tree of Expression And Or Purpose != “current” Purpose != “pseudo-analysis” Purpose != “individual-analysis” Recipient != “ours”

Parse Trees that can be Expressed in APPEL Statement connective Purpose connective Recipient connective current Individual-analysis Pseudo-analysis ours Logical expressions involving PURPOSE and RECIPIENT that can be expressed as a single APPEL rule Cannot express the desired condition as a single rule The condition can be expressed as multiple rules, but the translation is no longer a simple negation

Translation into APPEL Negations must be translated into enumerations

Recap: Problems With APPEL APPEL rules cannot be used to specify what is acceptable, only what is unacceptable APPEL rules cannot be used to specify what is acceptable, only what is unacceptable Logical expressions involving simple combinations of purpose, recipient and data are hard to express Logical expressions involving simple combinations of purpose, recipient and data are hard to express –APPEL logical connectives are tied to the structure of a policy Writing APPEL preferences is error prone, even for experts Writing APPEL preferences is error prone, even for experts –Errors in the APPEL working draft

Outline Overview of P3P and APPEL Overview of P3P and APPEL Problems with APPEL Problems with APPEL Can these problems be fixed? Can these problems be fixed? An XPath-based preference language An XPath-based preference language Conclusion Conclusion

New Operators Enumeration of unacceptable choices Enumeration of unacceptable choices –Can APPEL be fixed by adding new operators? Any-except logical connective Any-except logical connective –True if any element in the policy is not listed as a subelement in the rule

Any-except Operator: Helps for Example 1, but not Example 2 Lists acceptable choices Preferences involving logical operators over combinations of purpose, recipient, and data are still a problem

Modify P3P to Fix APPEL? … … … … Add a STATEMENTS tag to P3P policies to specify acceptable policies P3P is a W3C Recommendation and therefore hard to change Conditions over combinations of PURPOSE, RECIPIENT and DATA remain hard to express

Summary: Can the problems be fixed? Problems with APPEL are fundamental. Problems with APPEL are fundamental. Problems arise from the design choice to structure APPEL like P3P Problems arise from the design choice to structure APPEL like P3P Fixing APPEL would essentially mean designing a new language. Fixing APPEL would essentially mean designing a new language.

Outline Overview of P3P and APPEL Overview of P3P and APPEL Problems with APPEL Problems with APPEL Can these problems be fixed? Can these problems be fixed? An XPath-based preference language An XPath-based preference language Conclusion Conclusion

Language Design Goals At least as expressive as APPEL At least as expressive as APPEL –APPEL designers investigated requirements for a preference language Use, if possible, an existing language Use, if possible, an existing language –P3P is specified in an XML format –XPath is a query language for XML –XPath is a W3C Recommendation which is already used in a variety of available systems –Benefits from the rigorous work done on the design of XPath syntax and semantics

XPref Retain APPEL rule heads Retain APPEL rule heads Replace APPEL rule bodies with XPath Replace APPEL rule bodies with XPath –Using a strict subset of XPath 1.0 necessary for expressing preferences –Adding the XPath 2.0 “every” quantified expression to simplify expressing positive preferences

Negative Preferences in XPref <RULE behavior="block“ condition="/POLICY/STATEMENT [ PURPOSE/*[ name(.) = "individual-analysis"] and RECIPIENT/* [ name(.) != "ours"] ]" /> Block access to sites where the purpose is “individual-analysis” and the recipient is not “ours”

Positive Preferences in XPref <RULE behavior="request“ condition="/POLICY [ every $pname in STATEMENT/PURPOSE/* satisfies (name($pname) = "current" or name($pname) = "pseudo-analysis") ]" /> Access sites whose purposes for collecting information are strictly “current” or “pseudo- analysis”

Expressive Power Algorithm for converting APPEL to XPref Algorithm for converting APPEL to XPref

Conclusion P3P is currently the only standard for expressing privacy policies on the web P3P is currently the only standard for expressing privacy policies on the web To be successful, P3P needs a viable preference language To be successful, P3P needs a viable preference language XPref solves the problems of APPEL XPref solves the problems of APPEL XPref is based upon XPath which is an existing and successful standard XPref is based upon XPath which is an existing and successful standard An algorithm which translates XPref into APPEL is given in the paper An algorithm which translates XPref into APPEL is given in the paper Next step: make XPref a W3C recommendation Next step: make XPref a W3C recommendation

Policy-Preference Matching Web Server Browser request policy 1 send policy 2 request web page if policy conforms to preference 5 policy and user preference 3 result of matching 4 APPEL Engine

P3P Adoption Year Sites posting P3P policies among 100 most popular sites % % % %