200 likes | 361 Views
Enterprise Privacy Promises and Enforcement. Adam Barth John C. Mitchell. Formal Languages for Privacy. One approach to protecting privacy is to articulate and enforce restrictions on data practices Several formal languages for privacy W3C’s Platform for Privacy Preferences (P3P)
E N D
Enterprise PrivacyPromises and Enforcement Adam Barth John C. Mitchell
Formal Languages for Privacy • One approach to protecting privacy is to articulate and enforce restrictions on data practices • Several formal languages for privacy • W3C’s Platform for Privacy Preferences (P3P) • IBM’s Enterprise Privacy Authorization Language (EPAL) • Lack a connection between announced P3P policies and operative EPAL policies • We make this connection through a unified, data-centric model for privacy policies
Usage Scenario Service Provider Consumer DPAL Policy Accept User Agent Generates Enforces or P3P Policy Generates Enforces APPEL Preference Compact P3P
Overview • Motivate and describe our model • Perspectives on privacy • Data hierarchies and levels of detail • Policies as sets of promises • Enforcement • Apply our model to existing languages • Anomalies in APPEL and XPref • Semantics for P3P compact policies • Connecting privacy promises and enforcement • Policy summarization using projection
Perspectives on Privacy • Two types of principals in privacy • Service providers • Consumers • Service providers impose a lower bound • Consumers impose an upper bound • A privacy policy satisfying both these bounds is acceptable to both parties
Example: Privacy Perspectives • Service provider lower bound: • “I want to use a consumer’s home address in delivering my product.” • Consumer upper bound: • “I don’t want my home telephone number to be used for telemarketing.”
Data Hierarchies for Privacy • Privacy policies summarize data practices • Different policies (and different languages) summarize practices at different levels of detail • Levels of detail represented in a data hierarchy Blood Test Results T-cell Count Blood Cholesterol Level
Policies as Sets of Promises • View a privacy policy as a set of promises a service provider makes to a consumer • “I will not disclose your blood cholesterol level.” • Can the service provider disclose blood test results? • Not all blood test results • But some (T-cell count) • Service provider uses a lower bound, answers No • Consumer uses an upper bound, answers Yes
Modal Reasoning about Policies • Formalize reasoning using modal logic • Modalities ( and ◊) over data hierarchy • Blood test results ||- Disclose • Service provider may disclose all components of blood test results • Blood test results ||- ◊ Disclose • Service provider may disclose some components of blood test results
Enforcing Privacy Promises • Motivation: If an EPAL policy enforces a P3P policy and a consumer accepts the P3P policy, then the consumer accepts the EPAL policy • Formally defined in our model using modal logic • Consumers use a class of modal formulae in reasoning about a policy • Ensure that reasoning carries over from enforced to enforcing policy • Generalizes previous privacy policy relations
Overview • Motivate and describe our model • Perspectives on privacy • Data hierarchies and levels of detail • Policies as sets of promises • Enforcement • Apply our model to existing languages • Anomalies in APPEL and XPref • Semantics for P3P compact policies • Connecting privacy promises and enforcement • Policy summarization using projection
Privacy Preferences • Several languages exist for expressing consumer privacy preferences about P3P • A P3P user agent compares received policy with user’s preferences and may block web site • APPEL proposed by the W3C • XPref was proposed in response • Based on XPath • Both APPEL and XPref can express anomalous preferences • “Block web sites that do not telemarket.”
P3P Compact Policies • Compact policies are terse policy summaries • Included in HTTP headers with cookies • Interpreted by Internet Explorer • We give compact policies clear semantics • Represent the value of certain ◊ terms • Answer common consumer queries
Example: Compact Semantics • P3P policy states: • “Service provider may use your purchase history for telemarketing.” • Represented in compact policy as: • TEL • Semantics of TEL term: • Personal information ||- ◊ Telemarketing
Enforcing Privacy Promises • Detailed policy descriptions used for enforcement • EPAL proposed as one such enforcement language • EPAL geared towards answering service provider queries (evaluating terms) • -invariance: d ||- a d ||- a • -invariance equivalent to safety • A policy is safe iff less detailed questions do not lead to more rights • EPAL not actually safe (but that’s another topic)
Transitivity of Enforcement EPAL Policy Enforces P3P Policy Enforces Enforces Compact Policy
Projection Algorithm • Motivation: Leverage effort spent writing detailed enforcement policy to generate P3P policy • Criteria for generated policy summary • Enforced by detailed policy • Is the least permissive such policy (at a given level of detail) • We provide an algorithm for generating such policy summaries
Conclusion • Proposed a uniform model for privacy • Discovered anomalies in APPEL and XPath • Defined clear semantics for P3P compact policies • Connected privacy promises with privacy enforcement • Provided an algorithm for summarizing detailed policies (e.g. translating EPAL into P3P) • In privacy, it is important to consider the differing perspectives of the principals involved