Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell."— Presentation transcript:

1 Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell

2 Formal Languages for Privacy One approach to protecting privacy is to articulate and enforce restrictions on data practices One approach to protecting privacy is to articulate and enforce restrictions on data practices Several formal languages for privacy Several formal languages for privacy  W3C’s Platform for Privacy Preferences (P3P)  IBM’s Enterprise Privacy Authorization Language (EPAL) Lack a connection between announced P3P policies and operative EPAL policies Lack a connection between announced P3P policies and operative EPAL policies We make this connection through a unified, data- centric model for privacy policies We make this connection through a unified, data- centric model for privacy policies

3 Usage Scenario Service ProviderConsumer DPAL Policy P3P Policy Compact P3P Generates Enforces APPEL Preference User Agent or Accept

4 Overview Motivate and describe our model Motivate and describe our model  Perspectives on privacy  Data hierarchies and levels of detail  Policies as sets of promises  Enforcement Apply our model to existing languages Apply our model to existing languages  Anomalies in APPEL and XPref  Semantics for P3P compact policies  Connecting privacy promises and enforcement  Policy summarization using projection

5 Perspectives on Privacy Two types of principals in privacy Two types of principals in privacy  Service providers  Consumers Service providers impose a lower bound Service providers impose a lower bound Consumers impose an upper bound Consumers impose an upper bound A privacy policy satisfying both these bounds is acceptable to both parties A privacy policy satisfying both these bounds is acceptable to both parties

6 Example: Privacy Perspectives Service provider lower bound: Service provider lower bound:  “I want to use a consumer’s home address in delivering my product.” Consumer upper bound: Consumer upper bound:  “I don’t want my home telephone number to be used for telemarketing.”

7 Data Hierarchies for Privacy Privacy policies summarize data practices Privacy policies summarize data practices Different policies (and different languages) summarize practices at different levels of detail Different policies (and different languages) summarize practices at different levels of detail Levels of detail represented in a data hierarchy Levels of detail represented in a data hierarchy T-cell CountBlood Cholesterol Level Blood Test Results

8 Policies as Sets of Promises View a privacy policy as a set of promises a service provider makes to a consumer View a privacy policy as a set of promises a service provider makes to a consumer  “I will not disclose your blood cholesterol level.” Can the service provider disclose blood test results? Can the service provider disclose blood test results?  Not all blood test results  But some (T-cell count) Service provider uses a lower bound, answers No Service provider uses a lower bound, answers No Consumer uses an upper bound, answers Yes Consumer uses an upper bound, answers Yes

9 Modal Reasoning about Policies Formalize reasoning using modal logic Formalize reasoning using modal logic Modalities ( and ◊) over data hierarchy Modalities ( and ◊) over data hierarchy Blood test results ||- Disclose Blood test results ||- Disclose  Service provider may disclose all components of blood test results Blood test results ||- ◊ Disclose Blood test results ||- ◊ Disclose  Service provider may disclose some components of blood test results

10 Enforcing Privacy Promises Motivation: If an EPAL policy enforces a P3P policy and a consumer accepts the P3P policy, then the consumer accepts the EPAL policy Motivation: If an EPAL policy enforces a P3P policy and a consumer accepts the P3P policy, then the consumer accepts the EPAL policy Formally defined in our model using modal logic Formally defined in our model using modal logic  Consumers use a class of modal formulae in reasoning about a policy  Ensure that reasoning carries over from enforced to enforcing policy Generalizes previous privacy policy relations Generalizes previous privacy policy relations

11 Overview Motivate and describe our model Motivate and describe our model  Perspectives on privacy  Data hierarchies and levels of detail  Policies as sets of promises  Enforcement Apply our model to existing languages Apply our model to existing languages  Anomalies in APPEL and XPref  Semantics for P3P compact policies  Connecting privacy promises and enforcement  Policy summarization using projection

12 Privacy Preferences Several languages exist for expressing consumer privacy preferences about P3P Several languages exist for expressing consumer privacy preferences about P3P A P3P user agent compares received policy with user’s preferences and may block web site A P3P user agent compares received policy with user’s preferences and may block web site APPEL proposed by the W3C APPEL proposed by the W3C XPref was proposed in response XPref was proposed in response  Based on XPath Both APPEL and XPref can express anomalous preferences Both APPEL and XPref can express anomalous preferences  “Block web sites that do not telemarket.”

13 P3P Compact Policies Compact policies are terse policy summaries Compact policies are terse policy summaries Included in HTTP headers with cookies Included in HTTP headers with cookies  Interpreted by Internet Explorer We give compact policies clear semantics We give compact policies clear semantics  Represent the value of certain ◊ terms  Answer common consumer queries

14 Example: Compact Semantics P3P policy states: P3P policy states:  “Service provider may use your purchase history for telemarketing.” Represented in compact policy as: Represented in compact policy as:  TEL Semantics of TEL term: Semantics of TEL term:  Personal information ||- ◊ Telemarketing

15 Enforcing Privacy Promises Detailed policy descriptions used for enforcement Detailed policy descriptions used for enforcement EPAL proposed as one such enforcement language EPAL proposed as one such enforcement language EPAL geared towards answering service provider queries (evaluating terms) EPAL geared towards answering service provider queries (evaluating terms)  -invariance: d ||- a  d ||- a -invariance equivalent to safety -invariance equivalent to safety  A policy is safe iff less detailed questions do not lead to more rights EPAL not actually safe (but that’s another topic) EPAL not actually safe (but that’s another topic)

16 Transitivity of Enforcement EPAL Policy P3P Policy Compact Policy Enforces

17 Projection Algorithm Motivation: Leverage effort spent writing detailed enforcement policy to generate P3P policy Motivation: Leverage effort spent writing detailed enforcement policy to generate P3P policy Criteria for generated policy summary Criteria for generated policy summary  Enforced by detailed policy  Is the least permissive such policy (at a given level of detail) We provide an algorithm for generating such policy summaries We provide an algorithm for generating such policy summaries

18 Projection Algorithm (con’t)

19 Conclusion Proposed a uniform model for privacy Proposed a uniform model for privacy Discovered anomalies in APPEL and XPath Discovered anomalies in APPEL and XPath Defined clear semantics for P3P compact policies Defined clear semantics for P3P compact policies Connected privacy promises with privacy enforcement Connected privacy promises with privacy enforcement Provided an algorithm for summarizing detailed policies (e.g. translating EPAL into P3P) Provided an algorithm for summarizing detailed policies (e.g. translating EPAL into P3P) In privacy, it is important to consider the differing perspectives of the principals involved In privacy, it is important to consider the differing perspectives of the principals involved

20 Questions?

Download ppt "Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell."

Similar presentations

1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.

1 Long term changes to P3P Long Term Future of P3P Workshop Giles Hogben Joint Research Centre European Commission.
Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy Authorization Languages.

Privacy Policy, Law and Technology Carnegie Mellon University Fall 2005 Lorrie Cranor 1 Privacy Authorization Languages.
Critical Thinking Course Introduction and Lesson 1

Critical Thinking Course Introduction and Lesson 1
IS3350 Security Issues in Legal Context

IS3350 Security Issues in Legal Context
Privacy: Accountability and Enforceability Jamie Yoo April 11, 2006 CPSC 457: Sensitive Information in a Wired World.

Privacy: Accountability and Enforceability Jamie Yoo April 11, 2006 CPSC 457: Sensitive Information in a Wired World.
IBM Zurich Research Lab © 2004 IBM Corporation PART 5 Enterprise Privacy Policies.

IBM Zurich Research Lab © 2004 IBM Corporation PART 5 Enterprise Privacy Policies.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research

Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
1 Conditional XPath, the first order complete XPath dialect Maarten Marx Presented by: Einav Bar-Ner.

1 Conditional XPath, the first order complete XPath dialect Maarten Marx Presented by: Einav Bar-Ner.
Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.

Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.
Email Extras Plus! Pepper. Objectives E-mail extra knowledge Cookies Picture handling when creating site.

Extras Plus! Pepper. Objectives extra knowledge Cookies Picture handling when creating site.
1 8. Safe Query Languages Safe program – its semantics can be at least partially computed on any valid database input. Safety is tied to program verification,

1 8. Safe Query Languages Safe program – its semantics can be at least partially computed on any valid database input. Safety is tied to program verification,
Writing the Research Report The purpose of the written report is to present the results of your research, but more importantly to provide a persuasive.

Writing the Research Report The purpose of the written report is to present the results of your research, but more importantly to provide a persuasive.
1 Using Certified Policies to Regulate E-Commerce Transactions Victoria Ungureanu Rutgers University.

1 Using Certified Policies to Regulate E-Commerce Transactions Victoria Ungureanu Rutgers University.
Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.

Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.
James Williams – Ontario Telemedicine Network. Objectives: 1. Review policy constraints for EHR systems. 2. Traditional approaches to policies in EHRs.

James Williams – Ontario Telemedicine Network. Objectives: 1. Review policy constraints for EHR systems. 2. Traditional approaches to policies in EHRs.
ReQuest (Validating Semantic Searches) Norman Piedade de Noronha 16 th July, 2004.

ReQuest (Validating Semantic Searches) Norman Piedade de Noronha 16 th July, 2004.
1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.

1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.
Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.

Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.

Similar presentations

Ads by Google