430 likes | 552 Views
Activity 7 Ontologies and Privacy Principles. Giles Hogben Joint Research Centre Email: giles.hogben at jrc.it. Guide to this presentation. Goals and deliverables within PRIME Privacy Principles Ontologies Policy and Rule Editors Research Challenges Interfaces With Other Activities
E N D
Activity 7Ontologies and Privacy Principles Giles Hogben Joint Research Centre Email: giles.hogben at jrc.it
Guide to this presentation • Goals and deliverables within PRIME • Privacy Principles • Ontologies • Policy and Rule Editors • Research Challenges • Interfaces With Other Activities • Other experience
Activity 7: Ontologies & Privacy Principles • Contributes vocabulary terms and semantics to machine readable languages • Facilitates agreement on fundamental Privacy and IDM concepts • Defines alignment between Legal,Developer andUser models. • Separates programme logic, business logic and knowledge (core vocabulary) in architecture. • Contributes Policy and Rule Editors Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Deliverables • Reports on conceptual consensus and privacy principles • Prototype of ontology based architecture • Policy and Rule editor code • Specification of machine-readable vocabulary and semantics for policies and rule bases • Other ontologies according to requirements • Contribution to Integrated Prototype Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Activity 7 and Privacy Principles • Agreement on meaning and priority of fundamental concepts and principles of privacy • Importance of collective conceptual model in PRIME • Concepts from fundamental principles populate top level of ontologies (e.g. purpose, recipient, jurisdiction). • Higher level principles give most stable concept Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Example of definition of fundamental concepts: Identity and Identification 1. "an identifiable person is one who can be identified directly or indirectly by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.“ 2. “to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used ... to identify the said person” EU Data Protection Directive 95/46/EC E.g. Database – two people (John and Mike), Aggregate data, one has AIDS – Is the fact “Mike does not have aids” part of the “social identity” of John? Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Identification Based on Leibniz’ Rule, a fact or set of facts identifies a NYM (individual) if based on a new set of FACTs, the number of NYMs in the CANDIDATE SET Decreases. Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Identity: Unexpected Result • Any (non-tautologous) FACT may in some context identify a NYM • The concept of an IDENTITY as a fixed set of FACTs is only useful in contexts where both the ANONYMITY SET and existing knowledge are also fixed and stable • In Ambient Intelligence environments, the concept of an identity as a fixed set of facts is no longer valid Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
EU Legislation: Data protection principles • Transparency • Provide the individual with information regarding data collection • Give individual choice/consent regarding use of their data • Purpose Limitation • Collection/Use limitation of personal data to what is necessary • Keep in identifiable form no longer necessary for original purpose • Primary and Secondary Purposes • Sensitive data • Health data, religion, etc…: special status, consent • Security and data quality • Provide adequate security against improper use • Anonymity and Pseudonymity Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Ontologies: What is an Ontology? Ornithology: the study of birds Oncology: the study of cancer Onychology: study of fingernails and toenails. Ontology: a formal specification of terms and their relationships in a specific domain. Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
What is an ontology? Formal machine-readable description and semantics of concepts in a Domain It contains: • Concepts Classes and Subclasses • E.g. Data, health data, data controller • Properties Describe features and attributes • E.g. is Collected by • Restrictions on Properties and Concepts • E.g. PERSONAL only applied to Living Persons, health Data is a subclass of Data • Set of statements using ontological concepts constitute a Knowledge Base • E.g. [Pulse (instance of jrc:health data) is Collected by Provider X (instance of jrc:data controller) ] Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
What are semantics? • Semantics specify the connection between terms and the world (an interpretation) • Most of the work in creating ontologies is in achieving consensus on the semantics. Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Ontology Consensus Processes • The most important factor in the success of an ontology is the consensus process which leads to its specification • Use methods from Psychology and cognitive science • Scenario based elicitation • Conflict resolution methodologies • Alignment of ontologies • User groups • Textual analysis techniques (including automated) • “Traditional” methods from W3C and actual W3C processes (e.g. formal specifications, telephone conferences, working groups on concept resolution) • Building on existing work e.g. P3P Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Formal and Informal Ontologies • XML languages such as P3P are Informal Ontologies -Semantics of terms is informally defined E.g. P3P: <purpose><ours/></purpose>= current purpose with human readable definition -XML does not provide a rigorous or complete framework for semantics but it has a high adoption level • Informal ontologies such as P3P represent a huge body of work towards conceptual consensus. Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
How is an ontology used? • Most important advantages for PRIME partners: Restricts use/expression of concepts within an application/user interface so that they are understood by machines, end-users and lawyers. Similar to strict type discipline in programming or XML schema. • E.g. <PURPOSE rdf:type=“http://www.prime-eu.org/primeontology.owl”><DIAGNOSIS rdf:type=“http://www.prime-eu.org/primeontology.owl#medical” /></PURPOSE> • Other uses: • Reasoning – see next slide • Language independence (Privacy==Riservatezza==Concept112301) • Standardized descriptions for user interfaces. Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Reasoning example 3.. Ability to reason about relationships between devices. Example: • 1. M(Heart Rate,T1,X) :A heart rate measurement will be made for anonymous individual Xl at time T1 • 2.M(Weight,T2,X):A weight measurement will be made for the same anonymous individual at time T2 (T2-T1 <1min) • 3. M(Heart Rate,T1,X) ^ M(Weight,T2,X) K(Fitness rating,X): • If we know Heart Rate and weight for X within 1 minute of each other, we know their fitness. • 4. Fitness rating Unique Identifiers:Fitness is classed as a unique identifier. • 5. Unique Identifiers Personal Information:Unique Identifiers consitute personal information. • (1. ^ 2. ^ 3. ^ 4. ^ 5. ^ 6.) K(personal information,X):Statements 1-5 together entail personal information is captured Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Legal Rule System Developers Program Logic Ontology End-Users Alignment of Legal, User and Technical Models Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Example Concepts: Ontology of Identification OntoEdit Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Example Relations: Ontology of Identification Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Ontologies as graphs Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Formal modelling of Privacy Concepts Fig. 5. Preliminary model of identity using concepts from RDF, RDFS and OWL Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Ontology Usage Example: Agent to Agent Contracts Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Example Contract Engine ECA Rules Rule 1. • Event: Contract detected and downloaded • Condition: Run the following rule on the contract (Notation: N3[12]): Log:forAll :x, :y (CSO:end user :x CSO:may resell (CSO:return value :y where :y CSO:return value of :web service :z)) • Action: Behavior:Assent • In plain English, this means: On discovery of the contract, if the agreement states that all end-users may resell the return values of the service then assent to the agreement. Rule 2. (A catch all rule) • Event: Contract detected and downloaded • Condition:(*)wildcard • Behavior:Do Not Assent • In plain English:If all other rules do not fire, do not assent Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Ontology based Architecture • Separates • the business/legal logic (when to sign contracts) from the • program logic (how to download a contract) and the • knowledge (what can be in a contract) • Provides easy alignment of diverse conceptual schemes (e.g. legal and user) • These architectural principles are key to PRIME’s success. Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Ontology based Architecture FROM THE PRIME PROJECT PLAN “Principle 2, Explicit privacy rules govern system usage: … rule systems, i.e., technical policies, determine how to use the system: policies for trust establishment and reputation; privacy preferences and privacy authorization policies; delegation policies; and QoS-type policies for selecting among security and privacy options.” “Principle 5, Users need easy and intuitive abstractions of privacy: The technology listed so far allows the construction a system that is capable of giving strong privacy guarantees. But experience shows that such technology is not directly usable by normal users. Instead, normal users need intuitive – metaphors and mental models that hide technicalities like pseudonyms and privacy policies.” Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Legal Rule System Developers Software Components Ontology End-Users Ontology Based Architecture Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Ontology Alignment Forbid transmission to 3rd-Party Recipients Restrict Posting on Public Fora No Spam Please USERS APPLICATIONS REGULATORS Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Ontologies and XML XML Provides informal ontological semantics (e.g. tag nesting==sub-classing etc…) Existing software can parse and search XML Easy for the techie to be read Many informal ontologies exist in XML (e.g. P3P) Not all ontological concepts can be expressed (e.g. sameindividualas) No formal semantics Not suited to reasoning OWL/RDF (became W3C Official Spec on Feb 10th) Much Richer Syntax (e.g. disjoint, complete,sameas etc…) Formal Semantics – more suited to reasoning Almost impossible to read by eye even for techies. No parsers incorporated in current software Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Policy and Rule Editors:JRC Privacy Policy Editor • Open Source Java P3P Policy Editor • Complete solution for enabling a web site with automated privacy • Easily configurable to other policy formats • Modular and expandable • Extensible data typing schemas • Legal hints mechanism • Code written for slot-in of ontology mechanisms and different types of policy • (Code still under development) Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
JRC Privacy Policy Editor Screenshot 1 Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
JRC Privacy Policy Editor Screenshot 2 Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
JRC Privacy Policy Editor Screenshot 3 Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
JRC Privacy Policy Editor Screenshot 4 Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
JRC Privacy Policy Editor Screenshot 5 Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Research Challenges • Achieving consensus • Privacy ontologies contain ontological primitives (e.g. identity, set of individuals etc..) • Easing change of ontological models in architecture. • Creating good user interfaces to policy languages. Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Interfaces with other activities • Authorization models • Activity 7 captures vocabulary elements and relationships for policy languages. • Activity 7 works on integration of ontologies into rule-ontology-application code architecture. • Provision of alignment mechanisms between user metaphors, legal language, machine-readable languages • Policy/rule editor applications – JRC has a lot of existing Java code. Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Interfaces with other activities • HCI -Standardization of verbal expression of concepts within user interfaces by reference to ontologies/schemae (similar to P3P’s “user agent guidelines”) -Alignment of verbal expression with legal and technical requirements. • User/Server IDM • Work on IDM metaphors and concepts • Policy Editors? Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Interfaces with other activities • Application Prototypes -Input to architecture models -Analysis of new architectural paradigms within AMI • Legal Socio Economic -Capture of legal concepts -Work on definition of high level concepts and priorities. Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
Interfaces with other activities • Standardization and W3C -Standardization of ontologies -Integration of P3P and EPAL work Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
What else do we bring to the project? P3P • Open source implementation of fully compliant P3P user agent • Decision engine • Http proxy shell • Developer-friendly API just released (http://p3p.jrc.it/downloadP3P.php ) • Experience in standardization process for policy language. Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience
What else do we bring to the project? AMI • New information collection paradigm • Much more hidden data collection – no choice for the user • Exponentially increased power of inference • “Spatial privacy” becomes more important (SPAMI) • See Act 3 Presentation http://www.----- Goals in PRIME Privacy Principles Ontologies Policy Editors Interfaces Other Experience