Download presentation
Presentation is loading. Please wait.
1
Pranam Kolari – Policy 2005 Enhancing Web Privacy Protection Through Declarative Policies Pranam Kolari 1 Li Ding 1, Lalana Kagal 2, Shashi Ganjugunte 1, Anupam Joshi 1, Tim Finin 1 1 2
2
Pranam Kolari – Policy 2005 Outline P3P/APPEL Motivation and Problem Description User Trust Rei Policy Language System Design Privacy Policy Specification Conclusion
3
Pranam Kolari – Policy 2005 P3P P3P is Platform for Privacy Preferences P3P defines protocols and specifies languages P3P Schema for Websites, APPEL Schema for Clients
4
Pranam Kolari – Policy 2005 P3P Sample Policy <POLICY discuri="http://p3pbook.com/privacy.html" name="policy"> <DATA ref="#business.contact-info.online.email">privacy@p3pbook.com <DATA ref="#business.contact-info.online.uri">http://p3pbook.com/ Web Privacy With P3P We keep standard web server logs. Site’s name and contact info Access disclosure Statement Human-readable explanation How data may be used Data recipients Data retention policy Types of data collected Slide Courtesy: Lorrie Cranor
5
Pranam Kolari – Policy 2005 APPEL APPEL is A P3P Preference Exchange Language Users specify their preference in APPEL W3C working draft in April 2002. Insignificant deployment (Cranor 2003) Expressiveness of APPEL extensively debated (Agrawal 2003)
6
Pranam Kolari – Policy 2005 P3P/APPEL … … … Website P3P PolicyAPPEL User Preference
7
Pranam Kolari – Policy 2005 Cathy
8
Pranam Kolari – Policy 2005 The problem …
9
Pranam Kolari – Policy 2005 Trusting Websites 56% of consumers don’t believe businesses keep promises 63% believe independent verification is important 62% believe existing laws and organizational practices are insufficient Consumer Confidence Trust website policies Distrust website policies Source : (Ernst and Young report 2004)
10
Pranam Kolari – Policy 2005 Existing Mechanisms A4Proxy
11
Pranam Kolari – Policy 2005 P3P/XPref … … Website P3P PolicyXPref User Preference <RULE behavior=“request” condition=“/POLICY[ every $pname in STATEMENT/PURPOSE/* satisfies name($panme)=“individual-decision” and every $rname in STATEMENT/RECIPIENT/* satisfies name($rname)= “ours” ]”/>
![Pranam Kolari – Policy 2005 P3P/XPref … … Website P3P PolicyXPref User Preference <RULE behavior= request condition= /POLICY[ every $pname in STATEMENT/PURPOSE/* satisfies name($panme)= individual-decision and every $rname in STATEMENT/RECIPIENT/* satisfies name($rname)= ours ] />](http://images.slideplayer.com./23/6825647/slides/slide_11.jpg "Pranam Kolari – Policy 2005 P3P/XPref … … Website P3P PolicyXPref User Preference <RULE behavior= request condition= /POLICY[ every $pname in STATEMENT/PURPOSE/* satisfies name($panme)= individual-decision and every $rname in STATEMENT/RECIPIENT/* satisfies name($rname)= ours ] />")
12
Pranam Kolari – Policy 2005 P3P Adoption Existing problems have resulted in low P3P adoption…
13
Pranam Kolari – Policy 2005 Problem Description P3P policies published by websites are not trusted by users – (i) The languages available to describe user privacy preferences are not sufficiently expressive and – (ii) P3P framework does not provide a coherent view of available privacy protection mechanisms to the user. - (iii)
14
Pranam Kolari – Policy 2005 Our approach …
15
Pranam Kolari – Policy 2005 Social Recommendations (i)
16
Pranam Kolari – Policy 2005 Website Evaluation Ontology (i) Modeling User Perspective of Trust Populating ontology with instance data –BizRate –Services for users to explicitly specify preferences Share using existing social network mechanisms (Ding 2003) www.slashdot.org DiscussionGroup serviceType 9 9 URI -- popularity hasP3P hasTextPolicy hasPrivacyCertifier subDomainOf isBasedOutOf hasPolicyEnforcement lawEnforcedBy URI USA Yes US OSDN policySimilarTo owner Website Evaluation Ontology
17
Pranam Kolari – Policy 2005 Rei Policy Language (ii)(iii) Rei, a policy specification language developed by Lalana Kagal at UMBC (lkagal 2003) Encoded in (1) Prolog, (2) OWL Models deontic concepts of permissions, prohibitions, obligations and dispensations Uses meta policies for conflict resolution Uses speech acts for dynamic policy modification We used it as a policy specification language –RDF specification capability (matches that of P3P) –Dynamic Policies as future extension to our work Part content Courtesy: Lalana Kagal
18
Pranam Kolari – Policy 2005 Rei Policy Language (ii)(iii) Policy Granting Entity DeonticObject Constraint Action Boolean Simple DomainAction SpeechAct grants to deontic requirement context actor, target action precondition, effect
19
Pranam Kolari – Policy 2005 Rei Policy Modeling (ii)(iii) Two actors –Website –Webbrowser Multiple context –P3P RDF published by websites –User Context –Trust Recommendations Multiple actions with priorities –Right, Prohibition, Obligation* *(not enforced)
20
Pranam Kolari – Policy 2005 System Design # FOAF, Golbeck, Li ideas of Trust Trusted Agent Network # FOAF Website Recommender Network Ontologies, Trust rules Personal agents Web Server Clients publish publish (optionally) XSLT Transformer JRC Privacy Proxy * Rei Engine Privacy Expert Rei Privacy Policy (RDF based, enhancements over APPEL) P3P Policy Key Points Web Sites optionally publish P3P policies Clients specify privacy preferences using a policy language - Rei Privacy Expert is the privacy enhancement enabler by binding together entities of the system Rei Engine evaluates policies of users against website attributes Website Recommender Network propagates and builds a model of websites based on reputation FOAF – Enables the creation of the website recommender network
21
Pranam Kolari – Policy 2005 Example Policy [1] - Template.. Current policy allows access to a website … … Policy Rule Rule Actor Policy Constraint Rule Desc. Rule Action
![Pranam Kolari – Policy 2005 Example Policy [1] - Template..](http://images.slideplayer.com./23/6825647/slides/slide_21.jpg "Current policy allows access to a website … … Policy Rule Rule Actor Policy Constraint Rule Desc. Rule Action.")
22
Pranam Kolari – Policy 2005 Example Policy [1] - Constraints <constraint:SimpleConstraint rdf:about=“&wwwpolicy;domainOfServiceConstraint” constraint:subject =“&wwwpolicy;var1” constraint:predicate=“&wwwpolicy;domainOfServiceConstraint” constraint:object=“&weo;travel” /> <constraint:SimpleConstraint rdf:about=“&wwwpolicy;trustedDomainGOVconstraint” constraint:subject =“&wwwpolicy;var1” constraint:predicate=“&weo;domainSuffix” constraint:object=“&weo;gov” /> … Policy Constraint
![Pranam Kolari – Policy 2005 Example Policy [1] - Constraints <constraint:SimpleConstraint rdf:about= &wwwpolicy;domainOfServiceConstraint constraint:subject = &wwwpolicy;var1 constraint:predicate= &wwwpolicy;domainOfServiceConstraint constraint:object= &weo;travel /> <constraint:SimpleConstraint rdf:about= &wwwpolicy;trustedDomainGOVconstraint constraint:subject = &wwwpolicy;var1 constraint:predicate= &weo;domainSuffix constraint:object= &weo;gov /> … Policy Constraint](http://images.slideplayer.com./23/6825647/slides/slide_22.jpg "Pranam Kolari – Policy 2005 Example Policy [1] - Constraints <constraint:SimpleConstraint rdf:about= &wwwpolicy;domainOfServiceConstraint constraint:subject = &wwwpolicy;var1 constraint:predicate= &wwwpolicy;domainOfServiceConstraint constraint:object= &weo;travel /> <constraint:SimpleConstraint rdf:about= &wwwpolicy;trustedDomainGOVconstraint constraint:subject = &wwwpolicy;var1 constraint:predicate= &weo;domainSuffix constraint:object= &weo;gov /> … Policy Constraint")
23
Pranam Kolari – Policy 2005 Example Policy [2] - Obligation <policy:Policy rdf:about="&wwwpolicy;obligationexample" … ….. … … Obligation Right
![Pranam Kolari – Policy 2005 Example Policy [2] - Obligation <policy:Policy rdf:about= &wwwpolicy;obligationexample … …..](http://images.slideplayer.com./23/6825647/slides/slide_23.jpg "… … Obligation Right.")
24
Pranam Kolari – Policy 2005 Example Policy [3] - Priority … … Default Explicit Rules
![Pranam Kolari – Policy 2005 Example Policy [3] - Priority … … Default Explicit Rules](http://images.slideplayer.com./23/6825647/slides/slide_24.jpg "Pranam Kolari – Policy 2005 Example Policy [3] - Priority … … Default Explicit Rules")
25
Pranam Kolari – Policy 2005 Conclusion We have contributed to showing the utility of an existing policy language in a highly complex policy engineering domain While we will continue to pursue this area, policy engineering and enforcement in Web Privacy offers many future challenges. –Enforcing Obligations –Engineering Delegation Logic using Speech Acts and subsequent enforcement –Browser support for a comprehensive web privacy framework
26
Pranam Kolari – Policy 2005 Questions ?? Paper and Presentation Available at: http://ebiquity.umbc.edu/v2.1/paper/html/id/213/
Similar presentations
