Specifying Personal Privacy Policies to Avoid Unexpected Outcomes George Yee and Larry Korba {George.Yee, PST 2005 October 12-14, 2005

Overview Introduction Privacy policies and e-services Unexpected outcomes Preventing unexpected outcomes Conclusions and future research

Introduction Drivers for personal privacy policies –Growth of the Internet greater consumer exposure to e-services growth of consumer awareness to lack of privacy –Privacy legislation greater consumer awareness of privacy rights Privacy policies on the Internet –Posted privacy policies –P3P privacy policies for web sites Browser plug-in allows checking of personal privacy preferences against web site’s policy “Privacy Bird”: check preferences, display policy in easy to understand language, customizable warnings

Privacy policies and e-services Consumer privacy policy Necessary content implied by privacy legislation (minimal policy) Simple so that it can be understood by the average e- service consumer Machine processable, e.g. using XML-based language such as APPEL Provider has its own policy Policy Use: E-learning Owner: Alice Consumer Proxy: No Valid: unlimited Collector: Any What: name, address, tel Purposes: identification Retention Time: unlimited Disclose-To: none Collector: Any What: Course Marks Purposes: Records Retention Time: 2 years Disclose-To: none { { { Header Privacy Rule

Privacy policies and e-services Privacy Management Model –Consumer & provider each have a privacy policy –Prior to engaging a service, privacy policies are exchanged between consumer and provider to see if they match –Provider requests private data according to it’s privacy policy –Consumer may resist any privacy reduction may only be willing to provide private data according to her preferences –A match between policies occurs if in the respective policies, Otherwise, there is a mismatch. privacy reduction allowed by consumer ≥ privacy reduction required by provider

Privacy policies and e-services Policy mechanics –A privacy policy is considered upgraded (downgraded) if the new version represents more (less) privacy than the prior version. –Where time is involved, a private item held for less time is considered more private*. *as long as it is thoroughly expunged!

Unexpected outcomes Interested in outcomes from the matching of privacy policies arising from: –How the match was obtained –Matching policy content Outcomes: How the matching was obtained: –A match may have been obtained through an upgrade/downgrade (during negotiation) Upgrade: provider required too much user privacy reduction; provider upgrades its policy (more privacy via less private data) Unexpected outcome: private data left out may lead to extra costs, e.g. leaving out credit card requirement leads to more costly means of payment

Unexpected outcomes Downgrade: mismatch due to consumer policy allowing too little privacy reduction so consumer downgrades her policy (less privacy) to give more private data to the provider More examples in paper… Unexpected outcome: extra private data leads to provider needing to put more costly data protection safeguards in place, e.g. highly sensitive health information

Preventing unexpected negative outcomes: Need “well-formed” policies Definition 1: Unexpected negative outcome The use/development of privacy policies such that a) the outcome is unexpected by both provider and consumer, and b) the outcome leads to either provider and/or consumer experiencing some loss, which could be private information, money, time, convenience, job, etc., including serious losses.

Preventing unexpected outcomes Definition 2: A well-formed (WF) privacy policy (for either consumer or provider) is one that does not lead to unexpected negative outcomes. Definition 3: A near well-formed (NWF) privacy policy is one in which the attributes valid, collector, retention time, and disclose-to have each been considered against all known misspecifications that can lead to unexpected negative outcomes. A NWF privacy policy is the best that we can achieve at this time –No guarantee unexpected negative outcomes will not occur –Reduces the probability that they will occur.

Preventing: Some Rules Rule for Valid: Time period must be >= longest retention time. (There is always a consumer privacy policy governing the consumer information.)

Preventing: Some Rules Rule for Collector: Availability of the individual to receive the information must be considered.

Preventing: Some Rules Rule for Retention Time: Consequences of the retention time expiration (provider destroys corresponding information) must be considered. –If the consequences do not lead to unexpected negative outcomes, proceed to specify the desired time. Otherwise, or if there is doubt, specify the length of time the service will be used.

Preventing: Some Rules Rule for Disclose-To: Consequences of successive propagation of your information starting with the first party mentioned in the Disclose-To must be considered. –If the consequences do not lead to unexpected negative outcomes, proceed with the specification of the Disclose-To party or parties. Otherwise, or if there is doubt, specify “none” or “name of receiving party, no further”.

Preventing unexpected outcomes: Approach Incorporate the above rules when specifying initial policy –Use an automatic or semi-automatic specification method (e.g. G. Yee and L. Korba, “Semi-Automated Derivation of Personal Privacy Policies”, Proceedings, The IRMA International Conference 2004 (IRMA 2004), New Orleans, May 23-26, 2004.) –Rules application may employ a combination of artificial intelligence and user/provider query/response techniques to appreciate consequences. –Apply rules during manual policy specification employing a tool for exploring possible consequences.

Preventing unexpected outcomes Use privacy policy negotiation where NWF policies from initial specification do not match: Avoid undoing NWF-ness from initial specification; upgrades and downgrades may inadvertently undo the NWF-ness. Take advantage of negotiation to expose a needed application of the above rules. Paper provides examples

Summary –Unexpected outcomes can arise from matching of privacy policies –Proposed an approach using near-well-formed policies to minimize unexpected negative outcomes Approach will work for other privacy policy formulations –Privacy policy formulations Must conform to privacy legislation Therefore they do not differ substantially our approach is a minimal policy that conforms.

Conclusions and future research Further research: –Explore further unexpected negative outcomes –Tools for consequences exploration –Other methods for avoiding or mitigating unexpected negative outcomes –Implement the proposed approach (extend current prototype) –Application in other areas: security risk analysis

Thank-you

Preventing unexpected outcomes Nursing Online (Provider)Alice (Consumer) OK if a nurse on our staff be told your medical condition? No, only Dr. Alexander Smith can be told my medical condition. We cannot provide you with any nursing service unless we know your medical condition. OK, I’ll see Dr. Smith instead. You are putting yourself at risk. What if you need emergency medical help for your condition and Dr. Smith is not available? You are right. Do you have any doctors on staff? Yes, we always have doctors on call. OK to allow them to know your medical condition? That is acceptable. I will modify my privacy policy to share my medical condition with your doctors on call. Example negotiation (read from left to right, top to bottom): Negotiation guides the application of the rule for collector, preventing the unexpected outcome that Alice will be left with no medical help.