© 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P |...

14
© 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation Shortcomings of P3P for Privacy Authorization Lessons Learned when using P3P for Privacy Authorization Paul Ashley, IBM Software Group Günter Karjoth, IBM Research

Transcript of © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P |...

Page 1: © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation Shortcomings.

© 2002 IBM Corporation

IBM Zurich Research Laboratory

W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation

Shortcomings of P3P for Privacy Authorization

Lessons Learned when using P3P for Privacy Authorization

Paul Ashley, IBM Software GroupGünter Karjoth, IBM Research

Page 2: © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation Shortcomings.

IBM Zurich Research Laboratory

W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation

Outline

1.The Privacy Pie

The Complete Picture

The Pieces of the Pie

2.Choices for Enforcing Privacy

3.Practical Experiences with using P3P

4.Conclusions

Page 3: © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation Shortcomings.

IBM Zurich Research Laboratory

W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation

1.0 The Complete Picture „The Privacy Pie“

NoticeCollectConsent

Enforce Privacy

Policy

AuditCompliance

P3P

Page 4: © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation Shortcomings.

IBM Zurich Research Laboratory

W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation

1.1. Notice

Publishing a Privacy Notice: Privacy promise Offered user choices

Requirements: Unified global format Well-defined semantics and user-agent guidelines Describes user‘s view of enterprises (= disclosure-oriented)

P3P: Well-suited for Notices

Data User

Mark the box if we can send your home address to our trusted partners.

Page 5: © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation Shortcomings.

IBM Zurich Research Laboratory

W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation

1.2. Collecting Consent

Collecting Consent from Data-Subjects: Consent to a particular privacy policy Choices for the provided options

Requirements: Well-defined back-channel User‘s View

P3P: Not applicable No well-defined format available Usually integrated into applications

Data Subject

I agree with this policy and I

marked the box.

Page 6: © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation Shortcomings.

IBM Zurich Research Laboratory

W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation

1.3. Privacy Enforcement

Enforcing Privacy Restrictions within the Enterprise: Consented privacy promises Enterprise-internal Privacy Policy

Requirements: Fine-grained; enterprise-view Compatible with privacy promises Adoptable to varying enterprises

P3P: Not fine-grained Identical to promises Personal

Data

Application

Your requestis not

allowed by the policy!

Page 7: © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation Shortcomings.

IBM Zurich Research Laboratory

W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation

1.4a. Audit

in Traditional Access control, logging the access is enough

in Privacy Management, all actions on PII must be justified in terms of authorizations

Data Subject

Why did you send me spam?

Data User

Because you opted in to the marketing policy 1 on

April 1, 2002.

Page 8: © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation Shortcomings.

IBM Zurich Research Laboratory

W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation

1.4b. Reporting

Providing Privacy Reports: What personal data is stored? What is the applicable policy for each piece of data? How was a certain piece of data accessed in the past?

Requirements: Extensive logging Policy and consent management

P3P: Only for promises

Inventory

UsageLog

Policy Report

Page 9: © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation Shortcomings.

IBM Zurich Research Laboratory

W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation

2. Choices for Enforcing Privacy

Do nothing and pray

Coding privacy policy into applications– cost of coding and maintenance becomes prohibitive

– time to change to a new policy is far too large. 

– each of the applications has to be modified for each policy change

– difficult reporting and auditing

Centralized Enforcement Infrastructure– centralized consent and policy management

– centralized auditing and reporting

– distributed enforcement

Page 10: © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation Shortcomings.

IBM Zurich Research Laboratory

W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation

3. Practical Experiences with Using P3P for an Authorization Language

Use of predefined types

Only action is use

No obligations

No disallow rule

Limited conditions

Page 11: © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation Shortcomings.

IBM Zurich Research Laboratory

W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation

3.1 Use of pre-defined types

P3P pre-defines a set of types:

Data Categories (17): physical, online, uniqueid, purchase, financial, navigation, demographic, content, health, preference, …

Purpose (12): current, pseudo-analysis, individual-decision, contact, telemarketing, admin, develop, tailoring, …

Recipient (6): ours, same, delivery, unrelated Retention (5): no-retention, stated-purpose, business-practices, indefinitely, ..

useful for interoperability but not for authorization

Useful purposes in health care: medical_diagnosis, blood_research, statistical_analysis, billing

enterprises want to define their own types !

Page 12: © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation Shortcomings.

IBM Zurich Research Laboratory

W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation

3.2 No obligations

P3P does not allow the use of an obligation in a policy !

For example, our health care customers wanted to write policy statements of the form:

– ALLOW general_practioners to READ medical_records if {some conditions} with obligation {if patient is of VIP category flag alert}

– ALLOW sales to WRITE customer_data if {conditions} with obligation {if customer < 18 then get parent approval or delete data within 7 days}

We were unable to implement these policies with our customers.

Page 13: © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation Shortcomings.

IBM Zurich Research Laboratory

W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation

3.3 No disallow rule

Policies become much more complicated than necessary !

Engineering: e_assistants, e_managers, e_contractors, e_architects, e_administrative

A customer required a set of rules:– ALLOW engineering to READ customer_engineering_data– DISALLOW e_contractors to READ customer_engineering_data

Not having a DISALLOW rule means that this would have to be rewritten as– ALLOW e_assistants to READ customer_engineering_data– ALLOW e_managers to READ customer_engineering_data– ALLOW e_architects to READ customer_engineering_data– ALLOW e_architects to READ customer_engineering_data

Page 14: © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation Shortcomings.

IBM Zurich Research Laboratory

W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation

4. Conclusions

P3P is well-suited for formalizing privacy promises that are communicated to end-users

P3P is too coarse-grained

many of the policy statements from our customers required conditions to be evaluated.

P3P lacks some features for enterprise-internal privacy enforcement.

=> enforceable Privacy Policy Language is Needed