1 / 27

WS-Privacy

WS-Privacy. Paul Bui Ryan Dickey. Agenda. WS-Privacy Introduction to P3P How P3P Works P3P Details A P3P Scenario Conclusion References. Introduction to WS-Privacy. Organizations create, manage and use web services These organizations need to state their privacy policies

sherron
Download Presentation

WS-Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WS-Privacy Paul Bui Ryan Dickey

  2. Agenda • WS-Privacy • Introduction to P3P • How P3P Works • P3P Details • A P3P Scenario • Conclusion • References

  3. Introduction to WS-Privacy • Organizations create, manage and use web services • These organizations need to state their privacy policies • They also need to require that incoming requests adhere to these policies

  4. P3P Still Under Development • The specification will describe a model for how a privacy language may be embedded into WS-Policy descriptions • WS-Security will associate privacy claims with a message • WS-Trust mechanisms can be used to evaluate these privacy claims for both user preferences and organizational practice claims

  5. New Name! • WS-Privacy is currently implemented as the Platform for Privacy Preferences Project 1.0 Specification (P3P1.0) • This provides a model for how privacy preferences and organizational privacy practices are conveyed.

  6. Platform for PrivacyPreferences Project • Also known as P3P • A simple, automated way for users to gain more control over the use of their personal information on websites • Basically a set of multiple-choice questions covering all major aspects of a website’s privacy policies

  7. How P3P Works • P3P-enabled websites state their privacy policies in a standard, machine-readable format (XML) • P3P-enabled browsers can "read" this snapshot automatically and compare it to the consumer's own set of privacy preferences

  8. Making Your WebsiteP3P Compliant

  9. An HTTP TransactionWith P3P Added

  10. A P3P Scenario homepage catalog checkout P3P Policy

  11. P3P Policy Elements • <ENTITY> gives a precise description of the legal entity making the representation of the privacy practices. • <ACCESS> indicates whether the site provides access to various kinds of information.

  12. P3P Policy Elements cont’d • <DISPUTES> describes dispute resolution procedures that may be followed for disputes about a services' privacy practices, or in case of protocol violation. • Each <DISPUTES> element SHOULD contain a <REMEDIES> element that specifies the possible remedies in case a policy breach occurs.

  13. P3P Policy Elements (cont’d) • <STATEMENT> is a container that groups together a <PURPOSE>, a <RECIPIENT>, a <RETENTION>, a <DATA-GROUP>, and optionally a <CONSEQUENCE> • A statement concerns the data practices as applied to data elements (e.g., data collection)

  14. P3P Policy Elements cont’d • A <STATEMENT> may contain <NON-IDENTIFIABLE>, signifying that there is no data collected under this <STATEMENT>, or that all of the data referenced by that <STATEMENT> will be anonymized upon collection • <CONSEQUENCE> explains why the suggested practice may be valuable in a particular instance

  15. P3P Policy Elements cont’d • A <PURPOSE> must contain one or more purposes for data collection • E.g. • <current/> to complete current activity (e.g. web search results) • <admin/> to administrate the site • <historical/> historical preservation • <telemarketing/> used to contact individual about promotions and etc.

  16. P3P Policy Elements cont’d • <RECEPIENT> is the legal entity, or domain, beyond the service provider and its agents where data may be distributed • <RETENTION> is the type of retention policy of the data • <no-retention/> • <indefinitely/>

  17. P3P Policy Elements cont’d • <CATEGORIES> are elements inside data elements that provide hints to users and user agents as to the intended uses of the data. • <physical/> physical contact info • <online/> online contact info • <purchase/> method of payment • <demographic/> gender, age, income, etc. • <health/> to aid purchasing of healthcare products • etc.

  18. P3P Example • http://www.w3.org/TR/P3P/ #Example_policy a step by step example of implementing p3p

  19. P3P-Enabled Examples • Yahoo! • About • Angelfire • Dell • Netscape 7 • IE 6 (cookie element only)

  20. Demo 1 • Show the P3P documents in action at a live site

  21. Demo 2 • Show the P3P policies in action at a live site • Demonstrate a policy of requiring cookies to be enabled (e.g., PayPal) running against a browser with cookie settings turned on and off

  22. P3P Adoption • Ernst & Young report (Jan. 2004) on P3P adoption rates: • 23% of the Top 500 web domains • 31% of the Top 100 web domains • 50% of the top health domains • 64% of the top ___ domains

  23. P3P Caveats • P3P does not enforce adherence to privacy policies • P3P cannot monitor whether sites adhere to their own stated practices • Thus users do not know whether their policy preferences are actually being enforced

  24. Conclusion • P3P is a system for making Web site privacy policies machine-readable • P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and enables users to act on what they see. (e.g., a popup)

  25. Primary References • http://www.w3.org/P3P/ the comprehensive page for P3P • http://www.w3.org/TR/P3P/ the current P3P technical specification

  26. Secondary References • http://www.serviceoriented.org/ ws-privacy.html • a summary of WS-privacy • http://wdvl.internet.com/Internet/Security/P3P/ • a sample P3P page • http://www.ey.com/global/download.nsf/US/P3P_Dashboard_-_January_2004/$file /E&YTop500P3PDashboard.pdf • statistical information

  27. Tools • tool1 • tool2 • tool3

More Related