150 likes | 336 Views
Privacy Policy Management. October 11, 2007. Privacy & security policy management. http://projects.cerias.purdue.edu/ocrproj/ Today many organizations have ad hoc policies Difficult to enforce reliably Policy management frameworks promote consistent policy enforcement Components
E N D
Privacy Policy Management October 11, 2007
Privacy & security policy management • http://projects.cerias.purdue.edu/ocrproj/ • Today many organizations have ad hoc policies • Difficult to enforce reliably • Policy management frameworks promote consistent policy enforcement • Components • Policy authoring • Policy conflict/gap detection/resolution • Policy enforcement • Policy communication • Policy composition and comparison (combining multiple policies)
Privacy languages serve many roles • Specify organization’s privacy policy to end users and their agents • Specify users’ privacy preferences to users’ agent • Specify organization’s privacy policy to gatekeeper server that can approve or deny requests to access database • Specify policy associated with particular data elements to parties that buy or rent data
Can one privacy language do it all? • Maybe… • But so far none have emerged • We’ve found over a dozen privacy languages (including several access control and rule languages used for privacy applications) • Languages have different audiences, specify policies at different levels of granularity, and have different strengths and weaknesses
Privacy Languages • A P3P Preference Exchange Language (APPEL) • Alliance Identity - Web Services Framework (ID - WSF) • Customer Profile Exchange (CPExchange) • Declarative Privacy Authorization Language (DPAL) • Enterprise Privacy Authorization Language (EPAL) • eXtensible Access Control Markup Language (XACML) • GEOPRIV • Platform for Enterprise Privacy Practices (E-P3P) • Platform for Privacy Preferences (P3P) • Privacy Rights Markup Language (PRML) • Privacy Template • Security Assertion Markup Language (SAML) • XML Access Control Language (XACL) • X-Path Based Preference Langauage (XPref)
EPAL • Enterprise Privacy Authorization Language • Developed by IBM, submitted to W3C • Allows enterprises to develop granular rules to check whether data access is authorized • Similar to P3P syntax but not identical • Includes • Data-categories • User-categories - administrators, doctors, etc. • Purposes • Actions - disclose, read, etc. • Obligations - delete after 30 days, get consent, etc. • Conditions - user category = doctor • Allow and deny rules http://www.w3.org/Submission/2003/SUBM-EPAL-20031110/
User privacy preferences • P3P 1.0 agents may (optionally) take action based on user preferences • Users should not have to trust privacy defaults set by software vendors • User agents that can read APPEL (A P3P Preference Exchange Language) files can offer users a number of canned choices developed by trusted organizations • Preference editors allow users to adapt existing preferences to suit own tastes, or create new preferences from scratch • For more info on APPEL see http://www.w3.org/TR/WD-P3P-preferences or Chapter 13 in Web Privacy with P3P
Microsoft privacy template language • See Appendix D of Web Privacy with P3P • http://msdn.microsoft.com/library/default.asp?url=/workshop/security/privacy/overview/privacyimportxml.asp • Specifies rules for user agents to handle various types of cookies • Based on P3P compact policy tokens • Allows policies for specific web sites
Microsoft example <MSIEPrivacy><MSIEPrivacySettings formatVersion="6"> <p3pCookiePolicy zone="internet"> <firstParty noPolicyDefault="reject" noRuleDefault="accept" alwaysAllowSession="yes"> <if expr="TEL" action="reject"></if> <if expr="FIN,CON" action="forceSession"></if> <if expr="FIN,CONa" action="forceSession"></if> <if expr="GOV,PUB" action="forceSession"></if> </firstParty> <thirdParty noPolicyDefault="accept" noRuleDefault="accept" alwaysAllowSession="yes"> </thirdParty> </p3pCookiePolicy> <alwaysReplayLegacy/> </MSIEPrivacySettings> <MSIESiteRules formatVersion="6"> <site domain="www.BlueYonderAirlines.com" action="accept"> </site> </MSIESiteRules></MSIEPrivacy>
APPEL rule <appel:RULE behavior="limited" prompt="yes" description="Warning! Data may be shared."> <p3p:POLICY> <p3p:STATEMENT> <p3p:RECIPIENT appel:connective="or" > <p3p:same/> <p3p:other-recipient/> <p3p:public/> <p3p:unrelated/> </p3p:RECIPIENT> </p3p:STATEMENT> </p3p:POLICY> </appel:RULE> description connective- or- and- non-or- non-and- and-exact- or-exact pattern Behavior- request- block- limited
What does this APPEL ruleset do? <?xml version="1.0"?> <appel:RULESET xmlns:appel="http://www.w3.org/2001/02/APPELv1" xmlns:p3p=http://www.w3.org/2000/12/P3Pv1 crtdby="Lorrie Cranor" > <appel:RULE behavior="limited" description=”WHAT DOES IT DO?" > <p3p:POLICY > <p3p:STATEMENT > <p3p:PURPOSE appel:connective="or"> <p3p:contact required="opt-out" /> <p3p:telemarketing required="opt-out" /> <p3p:contact required="always" /> <p3p:telemarketing required="always" /> </p3p:PURPOSE> </p3p:STATEMENT> </p3p:POLICY> </appel:RULE> <appel:RULE behavior="request" > <appel:OTHERWISE /> </appel:RULE> </appel:RULESET>
Creating APPEL rule sets • Express your personal privacy preferences in English • Example: "I don't want companies to share my data." • Translate your rules into P3P vocabulary elements • Example: "RECIPIENT=ours" • Create an APPEL ruleset that represents your privacy preference rules (plus a catch-all rule)
Using APPEL to analyze P3P policies • Toolkit for Automated Privacy Policy Analysis (TAPPA) • http://cups.cs.cmu.edu/tappa/
Homework 3 Discussion • http://cups.cs.cmu.edu/courses/privpolawtech-fa07/hw/hw3.html • Web bugs - What are they used for? Do these uses raise privacy concerns? • P3P user agent critiques