Privacy Authorization Languages - PowerPoint PPT Presentation

About This Presentation

Title:

Privacy Authorization Languages

Description:

Number of Views:21

Avg rating:3.0/5.0

Slides: 14

Provided by: lorr58

Learn more at: https://lorrie.cranor.org

Category:

Tags: authorization | fin | languages | privacy

Transcript and Presenter's Notes

Title: Privacy Authorization Languages

1
Privacy Authorization Languages

2
Privacy languages serve many roles

Specify organizations privacy policy to end
users and their agents
Specify users privacy preferences to users
agent
Specify organizations privacy policy to
gatekeeper server that can approve or deny
requests to access database
Specify policy associated with particular data
elements to parties that buy or rent data

3
Can one privacy language do it all?

Maybe
But so far none have emerged
Weve found over a dozen privacy languages
(including several access control and rule
languages used for privacy applications)
Languages have different audiences, specify
policies at different levels of granularity, and
have different strengths and weaknesses

4
User privacy preferences

P3P 1.0 agents may (optionally) take action based
on user preferences
Users should not have to trust privacy defaults
set by software vendors
User agents that can read APPEL (A P3P Preference
Exchange Language) files can offer users a number
of canned choices developed by trusted
organizations
Preference editors allow users to adapt existing
preferences to suit own tastes, or create new
preferences from scratch
For more info on APPEL see http//www.w3.org/TR/WD
-P3P-preferences or Chapter 13 in Web Privacy
with P3P

5
APPEL rule

description
connective- or- and- non-or- non-and-
and-exact- or-exact
pattern
Behavior- request- block- limited
6
What does this APPEL ruleset do?

7
APPEL question in HW7

What are your personal privacy preferences?
a) First express them in English as a set of 3 to
5 rules. For example one rule might be "I don't
want companies to share my data." If you can't
capture all of your privacy preferences in 5
rules, just write down the 5 rules you consider
most important.
b) Translate your rules into P3P vocabulary
elements (for example, the above rule would
translate to "RECIPIENTours")
c) Create an APPEL ruleset that represents your
set of 3 to 5 privacy preference rules (plus a
catch-all rule)

8
Microsoft privacy template language

See Appendix D of Web Privacy with P3P
http//msdn.microsoft.com/library/default.asp?url
/workshop/security/privacy/overview/privacyimportx
ml.asp
Specifies rules for user agents to handle various
types of cookies
Based on P3P compact policy tokens
Allows policies for specific web sites

9
Microsoft example

ltMSIEPrivacygtltMSIEPrivacySettings
formatVersion"6"gt
ltp3pCookiePolicy zone"internet"gt
ltfirstParty noPolicyDefault"reject"
noRuleDefault"accept" alwaysAllowSession"yes"gt
ltif expr"TEL" action"reject"gtlt/ifgt
ltif expr"FIN,CON" action"forceSession"gtlt/i
fgt
ltif expr"FIN,CONa" action"forceSession"gtlt/
ifgt
ltif expr"GOV,PUB" action"forceSession"gtlt/i
fgt
lt/firstPartygt
ltthirdParty noPolicyDefault"accept"
noRuleDefault"accept" alwaysAllowSession"yes"gt
lt/thirdPartygt
lt/p3pCookiePolicygt
ltalwaysReplayLegacy/gt
lt/MSIEPrivacySettingsgt
ltMSIESiteRules formatVersion"6"gt
ltsite domain"www.BlueYonderAirlines.com"
action"accept"gt
lt/sitegt
lt/MSIESiteRulesgtlt/MSIEPrivacygt

10
EPAL

Enterprise Privacy Authorization Language
Developed by IBM, submitted to W3C
Allows enterprises to develop granular rules to
check whether data access is authorized
Similar to P3P syntax but not identical
Includes
Data-categories
User-categories - administrators, doctors, etc.
Purposes
Actions - disclose, read, etc.
Obligations - delete after 30 days, get consent,
etc.
Conditions - user category doctor
Allow and deny rules
http//www.w3.org/Submission/2003/SUBM-EPAL-200311
10/