Your SlideShare is downloading. ×
  • Like
Week 7 slides
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
301
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Privacy Authorization Languages Week 7 - October 10, 12
  • 2. Privacy languages serve many roles
    • Specify organization’s privacy policy to end users and their agents
    • Specify users’ privacy preferences to users’ agent
    • Specify organization’s privacy policy to gatekeeper server that can approve or deny requests to access database
    • Specify policy associated with particular data elements to parties that buy or rent data
  • 3. Can one privacy language do it all?
    • Maybe…
    • But so far none have emerged
    • We’ve found over a dozen privacy languages (including several access control and rule languages used for privacy applications)
    • Languages have different audiences, specify policies at different levels of granularity, and have different strengths and weaknesses
  • 4. User privacy preferences
    • P3P 1.0 agents may (optionally) take action based on user preferences
      • Users should not have to trust privacy defaults set by software vendors
      • User agents that can read APPEL (A P3P Preference Exchange Language) files can offer users a number of canned choices developed by trusted organizations
      • Preference editors allow users to adapt existing preferences to suit own tastes, or create new preferences from scratch
      • For more info on APPEL see http://www.w3.org/TR/WD-P3P-preferences or Chapter 13 in Web Privacy with P3P
  • 5. APPEL rule
    • <appel:RULE behavior=&quot;limited&quot; prompt=&quot;yes&quot;
    • description=&quot;Warning! Data may be shared.&quot;>
    • < p3p: POLICY>
    • < p3p: STATEMENT>
    • < p3p: RECIPIENT appel:connective=&quot;or&quot; >
    • < p3p: same/>
    • < p3p: other-recipient/>
    • < p3p: public/>
    • < p3p: unrelated/>
    • </ p3p: RECIPIENT>
    • </ p3p: STATEMENT>
    • </ p3p: POLICY>
    • </appel:RULE>
    Behavior - request - block - limited description connective - or - and - non-or - non-and - and-exact - or-exact pattern
  • 6. What does this APPEL ruleset do?
    •  <?xml version=&quot;1.0&quot;?>
    • <appel:RULESET xmlns:appel=&quot;http://www.w3.org/2001/02/APPELv1&quot;
    • xmlns:p3p=http://www.w3.org/2000/12/P3Pv1 crtdby=&quot;Lorrie Cranor&quot; >
    • <appel:RULE behavior=&quot;limited&quot; description=”WHAT DOES IT DO?&quot; >
    • <p3p:POLICY >
    • <p3p:STATEMENT >
    • <p3p:PURPOSE appel:connective=&quot;or&quot;>
    • <p3p:contact required=&quot;opt-out&quot; />
    • <p3p:telemarketing required=&quot;opt-out&quot; />
    • <p3p:contact required=&quot;always&quot; />
    • <p3p:telemarketing required=&quot;always&quot; />
    • </p3p:PURPOSE>
    • </p3p:STATEMENT>
    • </p3p:POLICY>
    • </appel:RULE>
    • <appel:RULE behavior=&quot;request&quot; >
    • <appel:OTHERWISE />
    • </appel:RULE>
    • </appel:RULESET>
  • 7. APPEL question in HW7
    • What are your personal privacy preferences?
      • a) First express them in English as a set of 3 to 5 rules. For example one rule might be &quot;I don't want companies to share my data.&quot; If you can't capture all of your privacy preferences in 5 rules, just write down the 5 rules you consider most important.
      • b) Translate your rules into P3P vocabulary elements (for example, the above rule would translate to &quot;RECIPIENT=ours&quot;)
      • c) Create an APPEL ruleset that represents your set of 3 to 5 privacy preference rules (plus a catch-all rule)
  • 8. Microsoft privacy template language
    • See Appendix D of Web Privacy with P3P
      • http://msdn.microsoft.com/library/default.asp?url=/workshop/security/privacy/overview/privacyimportxml.asp
    • Specifies rules for user agents to handle various types of cookies
    • Based on P3P compact policy tokens
    • Allows policies for specific web sites
  • 9. Microsoft example
    • <MSIEPrivacy><MSIEPrivacySettings formatVersion=&quot;6&quot;>
    • <p3pCookiePolicy zone=&quot;internet&quot;>
    • <firstParty noPolicyDefault=&quot;reject&quot; noRuleDefault=&quot;accept&quot; alwaysAllowSession=&quot;yes&quot;>
    • <if expr=&quot;TEL&quot; action=&quot;reject&quot;></if>
    • <if expr=&quot;FIN,CON&quot; action=&quot;forceSession&quot;></if>
    • <if expr=&quot;FIN,CONa&quot; action=&quot;forceSession&quot;></if>
    • <if expr=&quot;GOV,PUB&quot; action=&quot;forceSession&quot;></if>
    • </firstParty>
    • <thirdParty noPolicyDefault=&quot;accept&quot; noRuleDefault=&quot;accept&quot; alwaysAllowSession=&quot;yes&quot;>
    • </thirdParty>
    • </p3pCookiePolicy>
    • <alwaysReplayLegacy/>
    • </MSIEPrivacySettings>
    • <MSIESiteRules formatVersion=&quot;6&quot;>
    • <site domain=&quot;www.BlueYonderAirlines.com&quot;
    • action=&quot;accept&quot;>
    • </site>
    • </MSIESiteRules></MSIEPrivacy>
  • 10. EPAL
    • Enterprise Privacy Authorization Language
    • Developed by IBM, submitted to W3C
    • Allows enterprises to develop granular rules to check whether data access is authorized
    • Similar to P3P syntax but not identical
    • Includes
      • Data-categories
      • User-categories - administrators, doctors, etc.
      • Purposes
      • Actions - disclose, read, etc.
      • Obligations - delete after 30 days, get consent, etc.
      • Conditions - user category = doctor
    • Allow and deny rules
    • http://www.w3.org/Submission/2003/SUBM-EPAL-20031110/
  • 11. Announcements
    • Bring laptop (with wireless card if possible) to class on Wednesday
    • Project proposal due Oct 19
    • Homework 7/8 due Oct 26
  • 12. Homework 4 Discussion
    • http://lorrie.cranor.org/courses/fa05/hw4.html
    • Privacy software reviews
    • Why do sites use web bugs?
  • 13. Homework 5 Discussion
    • http://lorrie.cranor.org/courses/fa05/hw5.html
    • Similarities and differences of P3P user agents
    • What did you like or dislike about them?
    • Experience creating bank P3P policies