© 2010 IBM Corporation © Copyright 2011 IBM Corporation IBM Enterprise Capture.
© 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P |...
-
Upload
evangeline-jacobs -
Category
Documents
-
view
214 -
download
2
Transcript of © 2002 IBM Corporation IBM Zurich Research Laboratory W3C Workshop on the long term Future of P3P |...
© 2002 IBM Corporation
IBM Zurich Research Laboratory
W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation
Shortcomings of P3P for Privacy Authorization
Lessons Learned when using P3P for Privacy Authorization
Paul Ashley, IBM Software GroupGünter Karjoth, IBM Research
IBM Zurich Research Laboratory
W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation
Outline
1.The Privacy Pie
The Complete Picture
The Pieces of the Pie
2.Choices for Enforcing Privacy
3.Practical Experiences with using P3P
4.Conclusions
IBM Zurich Research Laboratory
W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation
1.0 The Complete Picture „The Privacy Pie“
NoticeCollectConsent
Enforce Privacy
Policy
AuditCompliance
P3P
IBM Zurich Research Laboratory
W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation
1.1. Notice
Publishing a Privacy Notice: Privacy promise Offered user choices
Requirements: Unified global format Well-defined semantics and user-agent guidelines Describes user‘s view of enterprises (= disclosure-oriented)
P3P: Well-suited for Notices
Data User
Mark the box if we can send your home address to our trusted partners.
IBM Zurich Research Laboratory
W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation
1.2. Collecting Consent
Collecting Consent from Data-Subjects: Consent to a particular privacy policy Choices for the provided options
Requirements: Well-defined back-channel User‘s View
P3P: Not applicable No well-defined format available Usually integrated into applications
Data Subject
I agree with this policy and I
marked the box.
IBM Zurich Research Laboratory
W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation
1.3. Privacy Enforcement
Enforcing Privacy Restrictions within the Enterprise: Consented privacy promises Enterprise-internal Privacy Policy
Requirements: Fine-grained; enterprise-view Compatible with privacy promises Adoptable to varying enterprises
P3P: Not fine-grained Identical to promises Personal
Data
Application
Your requestis not
allowed by the policy!
IBM Zurich Research Laboratory
W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation
1.4a. Audit
in Traditional Access control, logging the access is enough
in Privacy Management, all actions on PII must be justified in terms of authorizations
Data Subject
Why did you send me spam?
Data User
Because you opted in to the marketing policy 1 on
April 1, 2002.
IBM Zurich Research Laboratory
W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation
1.4b. Reporting
Providing Privacy Reports: What personal data is stored? What is the applicable policy for each piece of data? How was a certain piece of data accessed in the past?
Requirements: Extensive logging Policy and consent management
P3P: Only for promises
Inventory
UsageLog
Policy Report
IBM Zurich Research Laboratory
W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation
2. Choices for Enforcing Privacy
Do nothing and pray
Coding privacy policy into applications– cost of coding and maintenance becomes prohibitive
– time to change to a new policy is far too large.
– each of the applications has to be modified for each policy change
– difficult reporting and auditing
Centralized Enforcement Infrastructure– centralized consent and policy management
– centralized auditing and reporting
– distributed enforcement
IBM Zurich Research Laboratory
W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation
3. Practical Experiences with Using P3P for an Authorization Language
Use of predefined types
Only action is use
No obligations
No disallow rule
Limited conditions
IBM Zurich Research Laboratory
W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation
3.1 Use of pre-defined types
P3P pre-defines a set of types:
Data Categories (17): physical, online, uniqueid, purchase, financial, navigation, demographic, content, health, preference, …
Purpose (12): current, pseudo-analysis, individual-decision, contact, telemarketing, admin, develop, tailoring, …
Recipient (6): ours, same, delivery, unrelated Retention (5): no-retention, stated-purpose, business-practices, indefinitely, ..
useful for interoperability but not for authorization
Useful purposes in health care: medical_diagnosis, blood_research, statistical_analysis, billing
enterprises want to define their own types !
IBM Zurich Research Laboratory
W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation
3.2 No obligations
P3P does not allow the use of an obligation in a policy !
For example, our health care customers wanted to write policy statements of the form:
– ALLOW general_practioners to READ medical_records if {some conditions} with obligation {if patient is of VIP category flag alert}
– ALLOW sales to WRITE customer_data if {conditions} with obligation {if customer < 18 then get parent approval or delete data within 7 days}
We were unable to implement these policies with our customers.
IBM Zurich Research Laboratory
W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation
3.3 No disallow rule
Policies become much more complicated than necessary !
Engineering: e_assistants, e_managers, e_contractors, e_architects, e_administrative
A customer required a set of rules:– ALLOW engineering to READ customer_engineering_data– DISALLOW e_contractors to READ customer_engineering_data
Not having a DISALLOW rule means that this would have to be rewritten as– ALLOW e_assistants to READ customer_engineering_data– ALLOW e_managers to READ customer_engineering_data– ALLOW e_architects to READ customer_engineering_data– ALLOW e_architects to READ customer_engineering_data
IBM Zurich Research Laboratory
W3C Workshop on the long term Future of P3P | June 19-20 2003 © 2003 IBM Corporation
4. Conclusions
P3P is well-suited for formalizing privacy promises that are communicated to end-users
P3P is too coarse-grained
many of the policy statements from our customers required conditions to be evaluated.
P3P lacks some features for enterprise-internal privacy enforcement.
=> enforceable Privacy Policy Language is Needed