Privacy Policy Management

1
Privacy Policy Management

• October 11, 2007

2
Privacy security policy management

• http//projects.cerias.purdue.edu/ocrproj/
• Today many organizations have ad hoc policies
• Difficult to enforce reliably
• Policy management frameworks promote consistent
  policy enforcement
• Components
• Policy authoring
• Policy conflict/gap detection/resolution
• Policy enforcement
• Policy communication
• Policy composition and comparison (combining
  multiple policies)

3
Privacy languages serve many roles

• Specify organizations privacy policy to end
  users and their agents
• Specify users privacy preferences to users
  agent
• Specify organizations privacy policy to
  gatekeeper server that can approve or deny
  requests to access database
• Specify policy associated with particular data
  elements to parties that buy or rent data

4
Can one privacy language do it all?

• Maybe
• But so far none have emerged
• Weve found over a dozen privacy languages
  (including several access control and rule
  languages used for privacy applications)
• Languages have different audiences, specify
  policies at different levels of granularity, and
  have different strengths and weaknesses

5
Privacy Languages

• A P3P Preference Exchange Language (APPEL)
• Alliance Identity - Web Services Framework (ID -
  WSF)
• Customer Profile Exchange (CPExchange)
• Declarative Privacy Authorization Language (DPAL)
  
• Enterprise Privacy Authorization Language (EPAL)
• eXtensible Access Control Markup Language (XACML)
  
• GEOPRIV
• Platform for Enterprise Privacy Practices (E-P3P)
  
• Platform for Privacy Preferences (P3P)
• Privacy Rights Markup Language (PRML)
• Privacy Template
• Security Assertion Markup Language (SAML)
• XML Access Control Language (XACL)
• X-Path Based Preference Langauage (XPref)

6
Genealogy of languages
7
EPAL

• Enterprise Privacy Authorization Language
• Developed by IBM, submitted to W3C
• Allows enterprises to develop granular rules to
  check whether data access is authorized
• Similar to P3P syntax but not identical
• Includes
• Data-categories
• User-categories - administrators, doctors, etc.
• Purposes
• Actions - disclose, read, etc.
• Obligations - delete after 30 days, get consent,
  etc.
• Conditions - user category doctor
• Allow and deny rules
• http//www.w3.org/Submission/2003/SUBM-EPAL-200311
  10/

8
User privacy preferences

• P3P 1.0 agents may (optionally) take action based
  on user preferences
• Users should not have to trust privacy defaults
  set by software vendors
• User agents that can read APPEL (A P3P Preference
  Exchange Language) files can offer users a number
  of canned choices developed by trusted
  organizations
• Preference editors allow users to adapt existing
  preferences to suit own tastes, or create new
  preferences from scratch
• For more info on APPEL see http//www.w3.org/TR/WD
  -P3P-preferences or Chapter 13 in Web Privacy
  with P3P

9
Microsoft privacy template language

• See Appendix D of Web Privacy with P3P
• http//msdn.microsoft.com/library/default.asp?url
  /workshop/security/privacy/overview/privacyimportx
  ml.asp
• Specifies rules for user agents to handle various
  types of cookies
• Based on P3P compact policy tokens
• Allows policies for specific web sites

10
Microsoft example

• ltMSIEPrivacygtltMSIEPrivacySettings
  formatVersion"6"gt
• ltp3pCookiePolicy zone"internet"gt
• ltfirstParty noPolicyDefault"reject"
  noRuleDefault"accept" alwaysAllowSession"yes"gt
• ltif expr"TEL" action"reject"gtlt/ifgt
• ltif expr"FIN,CON" action"forceSession"gtlt/i
  fgt
• ltif expr"FIN,CONa" action"forceSession"gtlt/
  ifgt
• ltif expr"GOV,PUB" action"forceSession"gtlt/i
  fgt
• lt/firstPartygt
• ltthirdParty noPolicyDefault"accept"
  noRuleDefault"accept" alwaysAllowSession"yes"gt
• lt/thirdPartygt
• lt/p3pCookiePolicygt
• ltalwaysReplayLegacy/gt
• lt/MSIEPrivacySettingsgt
• ltMSIESiteRules formatVersion"6"gt
• ltsite domain"www.BlueYonderAirlines.com"
• action"accept"gt
• lt/sitegt
• lt/MSIESiteRulesgtlt/MSIEPrivacygt

11
APPEL rule

• ltappelRULE behavior"limited" prompt"yes"
• description"Warning! Data may be shared."gt
• ltp3pPOLICYgt
• ltp3pSTATEMENTgt
• ltp3pRECIPIENT appelconnective"or" gt
• ltp3psame/gt
• ltp3pother-recipient/gt
• ltp3ppublic/gt
• ltp3punrelated/gt
• lt/p3pRECIPIENTgt
• lt/p3pSTATEMENTgt
• lt/p3pPOLICYgt
• lt/appelRULEgt

description
connective- or- and- non-or- non-and-
and-exact- or-exact
pattern
Behavior- request- block- limited
12
What does this APPEL ruleset do?

• ?lt?xml version"1.0"?gt
• ltappelRULESET xmlnsappel"http//www.w3.org/20
  01/02/APPELv1"
• xmlnsp3phttp//www.w3.org/2000/12/P3Pv1
  crtdby"Lorrie Cranor" gt
• ltappelRULE behavior"limited"
  descriptionWHAT DOES IT DO?" gt
• ltp3pPOLICY gt
• ltp3pSTATEMENT gt
• ltp3pPURPOSE appelconnective"or"gt
• ltp3pcontact required"opt-out" /gt
• ltp3ptelemarketing required"opt-out"
  /gt
• ltp3pcontact required"always" /gt
• ltp3ptelemarketing required"always"
  /gt
• lt/p3pPURPOSEgt
• lt/p3pSTATEMENTgt
• lt/p3pPOLICYgt
• lt/appelRULEgt
• ltappelRULE behavior"request" gt
• ltappelOTHERWISE /gt
• lt/appelRULEgt

13
Creating APPEL rule sets

• Express your personal privacy preferences in
  English
• Example "I don't want companies to share my
  data."
• Translate your rules into P3P vocabulary elements
  
• Example "RECIPIENTours"
• Create an APPEL ruleset that represents your
  privacy preference rules (plus a catch-all rule)

14
Using APPEL to analyze P3P policies

• Toolkit for Automated Privacy Policy Analysis
  (TAPPA)
• http//cups.cs.cmu.edu/tappa/

15
Homework 3 Discussion

• http//cups.cs.cmu.edu/courses/privpolawtech-fa07/
  hw/hw3.html
• Web bugs - What are they used for? Do these uses
  raise privacy concerns?
• P3P user agent critiques