1 / 20

Enterprise Privacy Promises and Enforcement

Enterprise Privacy Promises and Enforcement. Adam Barth John C. Mitchell. Formal Languages for Privacy. One approach to protecting privacy is to articulate and enforce restrictions on data practices Several formal languages for privacy W3C’s Platform for Privacy Preferences (P3P)

joann
Download Presentation

Enterprise Privacy Promises and Enforcement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Enterprise PrivacyPromises and Enforcement Adam Barth John C. Mitchell

  2. Formal Languages for Privacy • One approach to protecting privacy is to articulate and enforce restrictions on data practices • Several formal languages for privacy • W3C’s Platform for Privacy Preferences (P3P) • IBM’s Enterprise Privacy Authorization Language (EPAL) • Lack a connection between announced P3P policies and operative EPAL policies • We make this connection through a unified, data-centric model for privacy policies

  3. Usage Scenario Service Provider Consumer DPAL Policy Accept User Agent Generates Enforces or P3P Policy Generates Enforces APPEL Preference Compact P3P

  4. Overview • Motivate and describe our model • Perspectives on privacy • Data hierarchies and levels of detail • Policies as sets of promises • Enforcement • Apply our model to existing languages • Anomalies in APPEL and XPref • Semantics for P3P compact policies • Connecting privacy promises and enforcement • Policy summarization using projection

  5. Perspectives on Privacy • Two types of principals in privacy • Service providers • Consumers • Service providers impose a lower bound • Consumers impose an upper bound • A privacy policy satisfying both these bounds is acceptable to both parties

  6. Example: Privacy Perspectives • Service provider lower bound: • “I want to use a consumer’s home address in delivering my product.” • Consumer upper bound: • “I don’t want my home telephone number to be used for telemarketing.”

  7. Data Hierarchies for Privacy • Privacy policies summarize data practices • Different policies (and different languages) summarize practices at different levels of detail • Levels of detail represented in a data hierarchy Blood Test Results T-cell Count Blood Cholesterol Level

  8. Policies as Sets of Promises • View a privacy policy as a set of promises a service provider makes to a consumer • “I will not disclose your blood cholesterol level.” • Can the service provider disclose blood test results? • Not all blood test results • But some (T-cell count) • Service provider uses a lower bound, answers No • Consumer uses an upper bound, answers Yes

  9. Modal Reasoning about Policies • Formalize reasoning using modal logic • Modalities ( and ◊) over data hierarchy • Blood test results ||- Disclose • Service provider may disclose all components of blood test results • Blood test results ||- ◊ Disclose • Service provider may disclose some components of blood test results

  10. Enforcing Privacy Promises • Motivation: If an EPAL policy enforces a P3P policy and a consumer accepts the P3P policy, then the consumer accepts the EPAL policy • Formally defined in our model using modal logic • Consumers use a class of modal formulae in reasoning about a policy • Ensure that reasoning carries over from enforced to enforcing policy • Generalizes previous privacy policy relations

  11. Overview • Motivate and describe our model • Perspectives on privacy • Data hierarchies and levels of detail • Policies as sets of promises • Enforcement • Apply our model to existing languages • Anomalies in APPEL and XPref • Semantics for P3P compact policies • Connecting privacy promises and enforcement • Policy summarization using projection

  12. Privacy Preferences • Several languages exist for expressing consumer privacy preferences about P3P • A P3P user agent compares received policy with user’s preferences and may block web site • APPEL proposed by the W3C • XPref was proposed in response • Based on XPath • Both APPEL and XPref can express anomalous preferences • “Block web sites that do not telemarket.”

  13. P3P Compact Policies • Compact policies are terse policy summaries • Included in HTTP headers with cookies • Interpreted by Internet Explorer • We give compact policies clear semantics • Represent the value of certain ◊ terms • Answer common consumer queries

  14. Example: Compact Semantics • P3P policy states: • “Service provider may use your purchase history for telemarketing.” • Represented in compact policy as: • TEL • Semantics of TEL term: • Personal information ||- ◊ Telemarketing

  15. Enforcing Privacy Promises • Detailed policy descriptions used for enforcement • EPAL proposed as one such enforcement language • EPAL geared towards answering service provider queries (evaluating terms) • -invariance: d ||- a d ||- a • -invariance equivalent to safety • A policy is safe iff less detailed questions do not lead to more rights • EPAL not actually safe (but that’s another topic)

  16. Transitivity of Enforcement EPAL Policy Enforces P3P Policy Enforces Enforces Compact Policy

  17. Projection Algorithm • Motivation: Leverage effort spent writing detailed enforcement policy to generate P3P policy • Criteria for generated policy summary • Enforced by detailed policy • Is the least permissive such policy (at a given level of detail) • We provide an algorithm for generating such policy summaries

  18. Projection Algorithm (con’t)

  19. Conclusion • Proposed a uniform model for privacy • Discovered anomalies in APPEL and XPath • Defined clear semantics for P3P compact policies • Connected privacy promises with privacy enforcement • Provided an algorithm for summarizing detailed policies (e.g. translating EPAL into P3P) • In privacy, it is important to consider the differing perspectives of the principals involved

  20. Questions?

More Related