Enhancing Web Privacy Protection Through Declarative Policies

1
Enhancing Web Privacy Protection Through
Declarative Policies

• Pranam Kolari1
• Li Ding1, Lalana Kagal2, Shashi Ganjugunte1,
  Anupam Joshi1, Tim Finin1

1
2
2
Outline

• Web Privacy
• P3P/APPEL
• Motivation and Problem Description
• User Trust
• Rei Policy Language
• System Design
• Privacy Policy Specification
• Conclusion

3
Cathy on the Web
Source Cathy Guisewite via Lorrie Cranor
4
Cathy on the Web
Source Cathy Guisewite via Lorrie Cranor
5
P3P The current solution

• P3P is Platform for Privacy Preferences
• Protocols and specification languages
• P3P Schema for Websites
• APPEL Schema for Clients

6
P3P Sample Policy
ltPOLICIES xmlns"http//www.w3.org/2002/01/P3Pv1"gt
ltPOLICY discuri"http//p3pbook.com/privacy.html"
name"policy"gt ltENTITYgt
ltDATA-GROUPgt ltDATA ref"business.contac
t-info.online.email"gtprivacy_at_p3pbook.com
lt/DATAgt ltDATA ref"business.contact-in
fo.online.uri"gthttp//p3pbook.com/ lt/DATAgt
ltDATA ref"business.name"gtWeb Privacy With
P3Plt/DATAgt lt/DATA-GROUPgt lt/ENTITYgt
ltACCESSgtltnonident/gtlt/ACCESSgt ltSTATEMENTgt
ltCONSEQUENCEgtWe keep standard web server
logs.lt/CONSEQUENCEgt ltPURPOSEgtltadmin/gtltcurrent/
gtltdevelop/gtlt/PURPOSEgt ltRECIPIENTgtltours/gtlt/RECI
PIENTgt ltRETENTIONgtltindefinitely/gtlt/RETENTIONgt
ltDATA-GROUPgt ltDATA ref"dynamic.clicks
tream"/gt ltDATA ref"dynamic.http"/gt
lt/DATA-GROUPgt lt/STATEMENTgt lt/POLICYgt lt/POLICIESgt
Slide Courtesy Lorrie Cranor
7
APPEL

• APPEL is A P3P Preference Exchange Language (W3C
  working draft in April 2002)

Website P3P Policy
APPEL User Preference
ltRULESETgt ltRULE behaviorrequestgt ltPOLICYgt ltSTAT
EMENTgt ltPURPOSEgtltindividual-decision/gtlt/PURPOSEgt lt
RECIPIENTgtltours/gtlt/RECIPIENTgt lt/STATEMENTgt lt/POLI
CYgt lt/RULEgt lt/RULESETgt
ltSTATEMENTgt ltPURPOSEgtlt individual-decision
/gtlt/PURPOSEgt ltRECIPIENTgtltours/gtlt/RECIPIENTgt
lt/STATEMENTgt
8
The problem
9
Trusting Websites

• 56 of consumers dont believe businesses keep
  promises
• 63 believe independent verification is important
• 62 believe existing laws and organizational
  practices are insufficient

Consumer Confidence
Trust website policies
Distrust website policies
Source (Ernst and Young report 2004)
10
Existing Mechanisms
A4Proxy
11
P3P/XPref
APPEL User Preference
Website P3P Policy
ltRULESETgt ltRULE behaviorrequestgt ltPOLICYgt ltSTAT
EMENTgt ltPURPOSEgtltindividual-decision/gtlt/PURPOSEgt lt
RECIPIENTgtltours/gtlt/RECIPIENTgt lt/STATEMENTgt lt/POLI
CYgt lt/RULEgt lt/RULESETgt
ltSTATEMENTgt ltPURPOSEgtlt individual-decision
/gtlt/PURPOSEgt ltRECIPIENTgtltours/gtlt/RECIPIENTgt
lt/STATEMENTgt ltSTATEMENTgt ltPURPOSEgtlt
telemarketing /gtlt/PURPOSEgt ltRECIPIENTgtltthird-party
/gtlt/RECIPIENTgt lt/STATEMENTgt
ltRULESETgt ltRULE behaviorrequest
condition/POLICY every pname in
STATEMENT/PURPOSE/ satisfies
name(panme)individual-decision
and every rname in
STATEMENT/RECIPIENT/ satisfies
name(rname) ours /gt ltRULE
behaviorblock conditiontrue/gt lt/RULESETgt
XPref User Preference
12
Low P3P Adoption
13
Problem Description

1. P3P policies published by websites not trusted by
   users
2. Low P3P adoption impedes client adoption by users
3. The languages available to describe user privacy
   preferences are not sufficiently expressive
4. P3P framework does not provide a coherent view of
   available privacy protection mechanisms to the
   user

14
Our approach
15
Social Recommendations (1, 2)
Note Superscripts signify problem being addressed
16
Website Evaluation Ontology (1, 2)

• Modeling User Perspective of Trust
• Populating ontology with instance data
• BizRate
• Services for users to explicitly specify
  preferences
• Share using existing social network mechanisms
  (Ding 2003)

Website Evaluation Ontology
www.slashdot.org
serviceType
popularity
DiscussionGroup
9
owner
hasP3P
OSDN
URI
hasPrivacyCertifier
isBasedOutOf
--
USA
hasTextPolicy
domainSuffix
URI
org
US
OSDN
lawEnforcedBy
policySimilarTo
Yes
hasPolicyEnforcement
17
Rei Policy Language (3)(4)

• Rei, a policy specification language developed
• by Lalana Kagal at UMBC (lkagal 2003)
• Encoded in (1) Prolog, (2) OWL
• Models deontic concepts of permissions,
  prohibitions, obligations and dispensations
• Uses meta policies for conflict resolution
• Uses speech acts for dynamic policy modification
• We used it as a policy specification language
• RDF specification capability (matches that of
  P3P)
• Dynamic Policies as future extension to our work

Part content Courtesy Lalana Kagal
18
Rei Policy Language (3)(4)
actor, target
Entity
DeonticObject
to
action
deontic
grants
Policy
Granting
Action
precondition, effect
DomainAction
SpeechAct
requirement
Constraint
context
Boolean
Simple
19
Rei Policy Modeling (1)(2)(3)(4)

• Two actors
• Website
• Web browser
• Multiple context
• P3P RDF published by websites
• User Context
• Trust Recommendations
• Multiple actions with priorities
• Right, Prohibition, Obligation

(not enforced)
20
System Design (1)(2)(3)(4)

• Key Points
• Web Sites optionally publish P3P policies
• Clients specify privacy preferences using a
  policy language - Rei
• Privacy Expert is the privacy enhancement enabler
  by binding together entities of the system
• Rei Engine evaluates policies of users against
  website attributes
• Website Recommender Network propagates and builds
  a model of websites based on reputation
• FOAF Enables the creation of the website
  recommender network

1
Website Recommender Network
publish (optionally)
Web Server
P3P Policy
Ontologies, Trust rules Personal agents
XSLT Transformer
5
3
Rei Engine
4
Privacy Expert
JRC Privacy Proxy
6
FOAF
Rei Privacy Policy (RDF based, enhancements over
APPEL)
Trusted Agent Network
Clients
publish
2
FOAF, Golbeck, Li ideas of Trust
21
Example Policy 1 - Template
ltpolicyPolicy rdfabout"wwwpolicycomprehensive
policydesc"Sample policy"gt
ltpolicygrants rdfresource"wwwpolicygrantingPe
rmission" /gt .. lt/policyPolicygt lt! Granting
Objects --gt ltpolicyGranting rdfabout"wwwpolicy
grantingPermission"gt ltpolicydescgtCurrent
policy allows access to a websitelt/policydescgt
ltpolicyto rdfresource"wwwpolicyvar1"/gt
ltpolicydeontic rdfresource"wwwpolicyright1"
/gt lt/policyGrantinggt lt! Deontic Objects
--gt ltdeonticPermission rdfabout"wwwpolicyrigh
t1"gt ltdeonticactor rdfresource"wwwpolicyv
ar1"/gt ltdeonticaction rdfresource"wwwpolic
yrequest"/gt ltdeonticconstraint
rdfresource"wwwpolicycomplexconstraint" /gt
lt/deonticPermissiongt
Policy Rule
Rule Desc.
Rule Actor
Rule Action
Policy Constraint
22
Example Policy 1 - Constraints
Policy Constraint
ltconstraintSimpleConstraint rdfaboutwwwpolicy
domainOfServiceConstraint
constraintsubject wwwpolicyvar1
constraintpredicatewwwpolicydomainOfServiceCo
nstraint constraintobjectweotravel
/gt ltconstraintSimpleConstraint
rdfaboutwwwpolicytrustedDomainGOVconstraint
constraintsubject wwwpolicyvar1
constraintpredicateweodomainSuffix
constraintobjectweogov /gt ltconstraintOr
rdfaboutwwwpolicycomplexconstraintgt
ltconstraintfirst rdfresourcewwwpolicytrusted
DomainGOVconstraint /gt ltconstraintsecond
rdfresourcewwwpolicydomainOfServiceConstraint
/gt lt/constraintOrgt
Policy Constraint
Policy Constraint
23
Example Policy 2 - Obligation

• ltpolicyPolicy rdfabout"wwwpolicyobligationexa
  mple"
• ltpolicygrants rdfresource"wwwpolicygrantingR
  ight" /gt
• ltpolicygrants rdfresource"wwwpolicygrantingO
  bligation"/gt
• lt/policyPolicygt
• ltpolicyGranting rdfabout"wwwpolicygrantingRig
  ht"gt
• ltpolicydeontic rdfresource"wwwpolicyright1"/
  gt
• lt/policyGrantinggt
• ltpolicyGranting rdfabout"wwwpolicygrantingObl
  igation"gt
• ltpolicyto rdfresource"wwwpolicywebbrowser"/gt
  
• ltpolicydeontic rdfresource"wwwpolicyobligati
  on1"/gt
• ..
• lt/policyGrantinggt
• ltdeonticPermission rdfabout"wwwpolicyright1"gt
  
• ltdeonticactor rdfresource"wwwpolicywe
  bsite"/gt
• ltdeonticaction rdfresource"wwwpolicyr
  equest"/gt
• lt/deonticPermissiongt

Right
Obligation
24
Example Policy 3 - Priority
ltpolicyPolicy rdfabout"wwwpolicyruleprioritye
xamplegt ltpolicydefaultModality
rdfresourcemetapolicyNegativeModalityPreceden
ce/gt ltpolicygrants rdfresource"wwwpolicyg
rantingRight1" /gt ltpolicygrants
rdfresource"wwwpolicygrantingRight2" /gt
ltpolicygrants rdfresource"wwwpolicygrantingPr
ohibition" /gt ltmetapolicyrulePriority
rdfresource"wwwpolicyrulepriority1"/gt
lt/policyPolicygt ltmetapolicyRulePriority
rdfaboutwwwpolicyrulepriority1gt
ltmetapolicyruleOfGreaterPriority
rdfresourcewwwpolicygrantingRight1 /gt
ltmetapolicyruleOfLesserPriority
rdfresourcewwwpolicygrantingProhibition
/gt lt/metapolicyRulePrioritygt
Default
Rules
Explicit
25
Closing Remarks

• Evaluation of trust based recommender systems
• Web browser adopting enhanced framework
• E-mail clients with FOAF based spam filtering
• Policy Engines
• User Context Manager
• Ontologies from the Semantic Web
• Development of common shared ontologies for user
  trust and context FOAF, SOUPA

26
Conclusion

• The utility of an existing policy language in a
  highly complex policy engineering domain
• Policy engineering and enforcement in Web Privacy
  offers many challenges
• Enforcing Obligations
• Engineering Delegation Logic using Speech Acts
  and subsequent enforcement

27
Questions ??
Paper and Presentation Available
at http//ebiquity.umbc.edu/v2.1/paper/html/id/21
3/