Presentation is loading. Please wait.

Presentation is loading. Please wait.

From P3P to Data Licensing Cha, Shi-Cho ( 查士朝 ) and Joung, Yuh-zer ( 莊裕澤 ) Dept. of Information Management Nation Taiwan University, Taipei, Taiwan

Published byAgatha Maxwell Modified over 9 years ago

Similar presentations

Presentation on theme: "From P3P to Data Licensing Cha, Shi-Cho ( 查士朝 ) and Joung, Yuh-zer ( 莊裕澤 ) Dept. of Information Management Nation Taiwan University, Taipei, Taiwan"— Presentation transcript:

1 From P3P to Data Licensing Cha, Shi-Cho ( 查士朝 ) and Joung, Yuh-zer ( 莊裕澤 ) Dept. of Information Management Nation Taiwan University, Taipei, Taiwan csc@mba.ntu.edu.tw joung@ccms.ntu.edu.tw

2 2 Outlines Introduction Introduction Concept and benefits of Online Personal Data Licensing (OPDL) Concept and benefits of Online Personal Data Licensing (OPDL) Demonstrations of OPDL Demonstrations of OPDL Conclusions Conclusions

3 3 Introduction Personal data are wildly used for different purposes. Personal data are wildly used for different purposes. Some are good for people Some are good for people Personal data can also be abused, e.g. Personal data can also be abused, e.g. Unsolicited commercial e-mail Unsolicited commercial e-mail Credit card fraud Credit card fraud Many countries have enacted laws to protect personal data. Many countries have enacted laws to protect personal data.

4 4 Introduction (Cont’d) The consent principle The consent principle There are different kinds of consent There are different kinds of consent Written consent can provide the strongest power of evidence Written consent can provide the strongest power of evidence In the cyberspace, to consider the efficiency, passive consent is usually allowed and adopted In the cyberspace, to consider the efficiency, passive consent is usually allowed and adopted A Web site can only disclose its practices about personal data A Web site can only disclose its practices about personal data

5 5 An Example of the Problem With Passive Consent Time It is hard for the person to prove that he does not know the Privacy Policy 2 ! Policy 1 We do not collect personal data Policy 2 We collect click-streams

6 6 Framework of Online Personal Data Licensing (OPDL) To concretize people’s consents by letting users issue licenses of collecting and using their data To concretize people’s consents by letting users issue licenses of collecting and using their data Application and service providers must obtain a license from a person before collecting, processing, and using the person’s personal data. Application and service providers must obtain a license from a person before collecting, processing, and using the person’s personal data.

7 7 Benefits of Using Licenses Licenses can be shown while some personal data are used. Licenses can be shown while some personal data are used.

8 8 Benefits of Using Licenses (Cont’d) Licenses can be used in auditing processes to prevent data misuse Licenses can be used in auditing processes to prevent data misuse

9 9 Benefits of Using Licenses (Cont’d) Licenses can be used as evidence to prove that a site has misused a person’s data. Licenses can be used as evidence to prove that a site has misused a person’s data.

10 10 More Benefits of OPDL Permission to collect or use a person’s data is determined and given by the person himself/herself. Permission to collect or use a person’s data is determined and given by the person himself/herself. It also makes users begin to think about the damages when licensed data are misused when the users set their preferences It also makes users begin to think about the damages when licensed data are misused when the users set their preferences People can obtain more clear information about who have owned their personal data. People can obtain more clear information about who have owned their personal data.

11 11 Demonstrations of OPDL

12 12 Licensing Proposal The Licensing Proposal of OPDL is based on the P3P’s privacy policy The Licensing Proposal of OPDL is based on the P3P’s privacy policy The main modification is adding security consideration into a proposal. The main modification is adding security consideration into a proposal. The security policy, risk assessment and controls against the risks can be provided. The security policy, risk assessment and controls against the risks can be provided. The requester can be certified by a certification organization (e.g., based on BS7799/ ISO17799) The requester can be certified by a certification organization (e.g., based on BS7799/ ISO17799) A TCSEC-like tag can be used A TCSEC-like tag can be used

13 13 Example Licensing Proposal Example Enterprise MCwCFEC6jCCVmJoU/MNVLgkbOSHxTO8QAhRld6MRdFpi9MvtzD/f91U1aNC81g== The information about the requester of the proposal: Example Enterprise The requester’s security policy: Which organization certifies the requester: Data Requested:

14 14

15 15 Proposal Processing The PDL processes a proposal based on the data subject’s preferences The PDL processes a proposal based on the data subject’s preferences The preferences are based on APPEL. For each preference rule, it contains the following components: The preferences are based on APPEL. For each preference rule, it contains the following components: Action taken when a rule is matching Action taken when a rule is matching The rule’s target The rule’s target The rule is specified to what data The rule is specified to what data The rule is applied to whom The rule is applied to whom The requirement of certification The requirement of certification The security level requirement The security level requirement The purposes constraints The purposes constraints The retention policies constraints The retention policies constraints

16 16 Flow Chart of Proposal Processing

17 17

18 18 User Notification

19 19

20 20 License Issuing A decomposable license format is used: A decomposable license format is used: Auditing or gate-keeping mechanism may only need part of a license. Auditing or gate-keeping mechanism may only need part of a license. If a person wishes to update some part of his issued license, the person can update necessary parts instead of reissuing the whole license. If a person wishes to update some part of his issued license, the person can update necessary parts instead of reissuing the whole license.

21 21 An Example of a License CN=CSC, OU=CSC, O=CSC, L=Taipei, ST=Taipei, C=TW CN=CSC, OU=CSC, O=CSC, L=Taipei, ST=Taipei, C=TW 1042957664 Sun Mar 16 00:11:22 CST 2003 Example Enterprise Gender Male MCwCFBZYtH/xneRtEgVVjdCBCypfeWCVAhRWH8jm1xvETkYSfrrHNPpma2t9Uw== Jobtitle Test MC0CFCoA678dpmVlEaNnBwPfBmoDPmKYAhUAgrEg3BoVKiZVsWcx1Fo1dSOUUmU= Header Clause 1 Clause 2

22 22 Conclusions OPDL requires service providers to obtain licenses before collecting, processing and using their users ’ data OPDL requires service providers to obtain licenses before collecting, processing and using their users ’ data Compared to P3P, OPDL not only lets individuals know the privacy practices of a Web site, but also enforce the practices. Compared to P3P, OPDL not only lets individuals know the privacy practices of a Web site, but also enforce the practices. OPDL brings the control of personal data back to the owner of data. OPDL brings the control of personal data back to the owner of data. Licenses of OPDL can provide the same power of evidence as written consent Licenses of OPDL can provide the same power of evidence as written consent

23 23 Questions? Contact information: csc@mba.ntu.edu.tw http://www.mba.ntu.edu.tw/~csc/

24 24 Suggested Future Work Legislation Requirement Legislation Requirement To enhance the concept to other conditions (because Internet is not the only source that a enterprise can collect personal data). To enhance the concept to other conditions (because Internet is not the only source that a enterprise can collect personal data). Interface design Interface design A more complex negotiation model (e.g., to enable a person to “ sell ” his/her personal data) A more complex negotiation model (e.g., to enable a person to “ sell ” his/her personal data)

25 25 Appendix: The Role of OPDL in Misuse Regulation

Download ppt "From P3P to Data Licensing Cha, Shi-Cho ( 查士朝 ) and Joung, Yuh-zer ( 莊裕澤 ) Dept. of Information Management Nation Taiwan University, Taipei, Taiwan"

Similar presentations

CHAPTER 4 E-ENVIRONMENT

CHAPTER 4 E-ENVIRONMENT
CHARTERED SECRETARIES AUSTRALIA New Privacy Laws 6 June 2013.

CHARTERED SECRETARIES AUSTRALIA New Privacy Laws 6 June 2013.
IS3350 Security Issues in Legal Context

IS3350 Security Issues in Legal Context
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
“Limiting electronic fraud through an Information Security Management System (ISMS): An Introduction to ISO 27001 Presented to the ICGFM Annual Conference.

“Limiting electronic fraud through an Information Security Management System (ISMS): An Introduction to ISO 27001" Presented to the ICGFM Annual Conference.
Legislation in ICT.

Legislation in ICT.
6/1/2015MINISTRY OF ENERGY, COMMUNICATIONS AND MULTIMEDIA 1 PRESENTATION OF PERSONAL DATA PROTECTION BILL PRESENTATION OF PERSONAL DATA PROTECTION BILL.

6/1/2015MINISTRY OF ENERGY, COMMUNICATIONS AND MULTIMEDIA 1 PRESENTATION OF PERSONAL DATA PROTECTION BILL PRESENTATION OF PERSONAL DATA PROTECTION BILL.
Security Controls – What Works

Security Controls – What Works
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.

University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.
Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.

Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Legislation in ICT. Data Protection Act (1998) What is the Data Protection Act (1998) and why was it created? What are the eight principles of the Data.

Legislation in ICT. Data Protection Act (1998) What is the Data Protection Act (1998) and why was it created? What are the eight principles of the Data.
DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH Nic Drew Data Protection Manager University Hospital of Wales  2074 6677  2074 5626 

DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH Nic Drew Data Protection Manager University Hospital of Wales   
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Personal Data (Privacy) Ordinance Hong Kong Personal Data (Privacy) Ordinance Hong Kong by Stephen Lau Privacy Commissioner for Personal Data Hong Kong.

Personal Data (Privacy) Ordinance Hong Kong Personal Data (Privacy) Ordinance Hong Kong by Stephen Lau Privacy Commissioner for Personal Data Hong Kong.
Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.
The Data Protection Act

The Data Protection Act
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Similar presentations

Ads by Google