© 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P |...

© 2002 IBM Corporation

IBM Zurich Research Laboratory

W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation

Shortcomings of P3P for Privacy Authorization

Lessons Learned when using P3P for Privacy Authorization

Paul Ashley, IBM Software GroupGünter Karjoth, IBM Research



Outline

1.The Privacy Pie

The Complete Picture

The Pieces of the Pie

2.Choices for Enforcing Privacy

3.Practical Experiences with using P3P

4.Conclusions



1.0 The Complete Picture „The Privacy Pie“

NoticeCollectConsent

Enforce Privacy

Policy

AuditCompliance

P3P



1.1. Notice

Publishing a Privacy Notice: Privacy promise Offered user choices

Requirements: Unified global format Well-defined semantics and user-agent guidelines Describes user‘s view of enterprises (= disclosure-oriented)

P3P: Well-suited for Notices

Data User

Mark the box if we can send your home address to our trusted partners.



1.2. Collecting Consent

Collecting Consent from Data-Subjects: Consent to a particular privacy policy Choices for the provided options

Requirements: Well-defined back-channel User‘s View

P3P: Not applicable No well-defined format available Usually integrated into applications

Data Subject

I agree with this policy and I

marked the box.



1.3. Privacy Enforcement

Enforcing Privacy Restrictions within the Enterprise: Consented privacy promises Enterprise-internal Privacy Policy

Requirements: Fine-grained; enterprise-view Compatible with privacy promises Adoptable to varying enterprises

P3P: Not fine-grained Identical to promises Personal

Data

Application

Your requestis not

allowed by the policy!



1.4a. Audit

in Traditional Access control, logging the access is enough

in Privacy Management, all actions on PII must be justified in terms of authorizations

Data Subject

Why did you send me spam?

Data User

Because you opted in to the marketing policy 1 on

April 1, 2002.



1.4b. Reporting

Providing Privacy Reports: What personal data is stored? What is the applicable policy for each piece of data? How was a certain piece of data accessed in the past?

Requirements: Extensive logging Policy and consent management

P3P: Only for promises

Inventory

UsageLog

Policy Report



2. Choices for Enforcing Privacy

Do nothing and pray

Coding privacy policy into applications– cost of coding and maintenance becomes prohibitive

– time to change to a new policy is far too large.

– each of the applications has to be modified for each policy change

– difficult reporting and auditing

Centralized Enforcement Infrastructure– centralized consent and policy management

– centralized auditing and reporting

– distributed enforcement



3. Practical Experiences with Using P3P for an Authorization Language

Use of predefined types

Only action is use

No obligations

No disallow rule

Limited conditions



3.1 Use of pre-defined types

P3P pre-defines a set of types:

Data Categories (17): physical, online, uniqueid, purchase, financial, navigation, demographic, content, health, preference, …

Purpose (12): current, pseudo-analysis, individual-decision, contact, telemarketing, admin, develop, tailoring, …

Recipient (6): ours, same, delivery, unrelated Retention (5): no-retention, stated-purpose, business-practices, indefinitely, ..

useful for interoperability but not for authorization

Useful purposes in health care: medical_diagnosis, blood_research, statistical_analysis, billing

enterprises want to define their own types !



3.2 No obligations

P3P does not allow the use of an obligation in a policy !

For example, our health care customers wanted to write policy statements of the form:

– ALLOW general_practioners to READ medical_records if {some conditions} with obligation {if patient is of VIP category flag alert}

– ALLOW sales to WRITE customer_data if {conditions} with obligation {if customer < 18 then get parent approval or delete data within 7 days}

We were unable to implement these policies with our customers.



3.3 No disallow rule

Policies become much more complicated than necessary !

Engineering: e_assistants, e_managers, e_contractors, e_architects, e_administrative

A customer required a set of rules:– ALLOW engineering to READ customer_engineering_data– DISALLOW e_contractors to READ customer_engineering_data

Not having a DISALLOW rule means that this would have to be rewritten as– ALLOW e_assistants to READ customer_engineering_data– ALLOW e_managers to READ customer_engineering_data– ALLOW e_architects to READ customer_engineering_data– ALLOW e_architects to READ customer_engineering_data



4. Conclusions

P3P is well-suited for formalizing privacy promises that are communicated to end-users

P3P is too coarse-grained

many of the policy statements from our customers required conditions to be evaluated.

P3P lacks some features for enterprise-internal privacy enforcement.

=> enforceable Privacy Policy Language is Needed

© 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P |...

Documents

Transcript of © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P |...