Upload
richard-bates
View
223
Download
0
Embed Size (px)
Citation preview
An XPath-based Preference An XPath-based Preference Language for P3PLanguage for P3P
IBM Almaden Research CenterIBM Almaden Research Center
Rakesh AgrawalRakesh AgrawalJerry KiernanJerry KiernanRamakrishnan SrikantRamakrishnan SrikantYirong XuYirong Xu
Growing Concern about PrivacyGrowing Concern about Privacy
“Privacy #1 issue in the 21Century” -Wall Street Journal, January 24, 2000
The issues of trust, The issues of trust, privacy and security privacy and security are generally are generally believed to be the believed to be the greatest barriers to greatest barriers to widespread use of widespread use of the Internet for the Internet for commercial commercial purposes.purposes.
What is P3PWhat is P3P
Current privacy policies are written by the lawyers, for the lawyersCurrent privacy policies are written by the lawyers, for the lawyers P3P solves this problem.P3P solves this problem.
– Encodes policies in machine readable format (XML).Encodes policies in machine readable format (XML).– Goal: programatically match privacy policies with user Goal: programatically match privacy policies with user
preferences.preferences.– W3C recommendation (April 2002)W3C recommendation (April 2002)
Need preference language to make this work!Need preference language to make this work!– APPEL: W3C DraftAPPEL: W3C Draft– Unfortunately …Unfortunately …
OutlineOutline
MotivationMotivation Problems with APPELProblems with APPEL Can these problems be fixed?Can these problems be fixed? An XPath-based preference languageAn XPath-based preference language ConclusionConclusion
Context: P3P PoliciesContext: P3P Policies
<POLICY> ... ... <STATEMENT> <PURPOSE><current/><telemarketing/></PURPOSE> <RECIPIENT><ours/><delivery/></RECIPIENT> <RETENTION><indefinitely/></RETENTION> <DATA-GROUP> <DATA ref="#user.name"/> <DATA ref="#user.home-info.telecom.telephone"/> </DATA-GROUP> </STATEMENT> <POLICY>
Jack’s Simple PreferenceJack’s Simple Preference
Only purposes “current” and “pseudo-analysis” are acceptable.Only purposes “current” and “pseudo-analysis” are acceptable. Will use this example to illustrate the problems with APPEL.Will use this example to illustrate the problems with APPEL.
Jack’s First AttemptJack’s First Attempt
<appel:RULESET> <appel:RULE behavior="request"> <POLICY> <STATEMENT> <PURPOSE appel:connective="or-exact"> <current/> <pseudo-analysis/> </PURPOSE> </STATEMENT> </POLICY> </appel:RULE>
<appel:RULE behavior="block"/> <appel:OTHERWISE/> </appel:RULE></appel:RULESET>
The APPEL engine evaluates rule in order
until one fires
APPEL preferences are organized as a list
of rules
Jack’s First AttemptJack’s First Attempt
<appel:RULESET> <appel:RULE behavior="request"> <POLICY> <STATEMENT> <PURPOSE appel:connective="or-exact"> <current/> <pseudo-analysis/> </PURPOSE> </STATEMENT> </POLICY> </appel:RULE>
<appel:RULE behavior="block"/> <appel:OTHERWISE/> </appel:RULE></appel:RULESET>
Rule head: Specifies the outcome of the rule (request or block)
Rule body: Specifies the structure and content of
matching policies
<appel:RULESET> <appel:RULE behavior="request"> <POLICY> <STATEMENT> <PURPOSE appel:connective="or-exact"> <current/> <pseudo-analysis/> </PURPOSE> </STATEMENT> </POLICY> </appel:RULE>
<appel:RULE behavior="block"/> <appel:OTHERWISE/> </appel:RULE></appel:RULESET>
Jack’s First AttemptJack’s First Attempt
Strictly access sites which collect personal information for purposes “current” and “pseudo-analysis”
Logical connectives: Govern matching of
subelements
Problem: Policies with Multiple Problem: Policies with Multiple StatementsStatements
<POLICY> ... ... <STATEMENT> <PURPOSE><current/></PURPOSE> … … </STATEMENT>
<STATEMENT> <PURPOSE><telemarketing/></PURPOSE> … … </STATEMENT> … …<POLICY>
This statement will match, and the policy will be accepted.
This statement (tele-marketing) is exactly what Jack tried to avoid by putting “or-exact” in purpose!
Problem: A policy can have multiple statements, some of which may violate the user’s preference
Jack’s Second AttemptJack’s Second Attempt
<appel:RULESET> <appel:RULE behavior="request"> <POLICY> <STATEMENT appel:connective=“and-exact”> … … </STATEMENT> </POLICY> </appel:RULE> … …</appel:RULESET>
Use “and-exact” to ensure that each statement in the
policy satisfies the condition
Problem: The connective applies to the subelements of a STATEMENT, not to all
statements in a policy
Jack’s Second AttemptJack’s Second Attempt
<appel:RULESET> <appel:RULE behavior="request"> <POLICY appel:connective="and-exact"> <STATEMENT> … … </STATEMENT> </POLICY> </appel:RULE> … …</appel:RULESET>
Use “and-exact” to ensure that each statement in the
policy satisfies the condition
Problem: POLICY has Multiple Problem: POLICY has Multiple SubelementsSubelements
<POLICY> <ENTITY> … </ENTITY> <ACCESS> … </ACCESS> <DISPUTES> … </DISPUTES> <REMEDIES> … </REMEDIES> <STATEMENT> … … </STATEMENT> <STATEMENT> … … </STATEMENT> … …<POLICY>
Problem: POLICY has other subelements aside from
STATEMENT
Key Point: Cannot Specify What Key Point: Cannot Specify What is Acceptableis Acceptable
<POLICY> … … <STATEMENTS> <STATEMENT> … … </STATEMENT> <STATEMENT> … … </STATEMENT> </STATEMENTS> … …<POLICY>
There is no STATEMENTS tag in P3P (which could be used to specify a logical
connective)
Jack spends quality time with the Jack spends quality time with the manuals …manuals …
… … figures out he can convert his preference into specifying what figures out he can convert his preference into specifying what is unacceptable.is unacceptable.
Jack’s Third AttemptJack’s Third Attempt
<appel:RULE behavior="block"> <POLICY> <STATEMENT> <PURPOSE appel:connective="or"> <admin/><develop/><tailoring/> <pseudo-decision/><individual-analysis/> <individual-decision/><contact/> <historical/><telemarketing/> <other-purpose/> </PURPOSE> </STATEMENT> </POLICY> </appel:RULE>
Convert positive preferences into negative
preferences
Note: Must enumerate all unacceptable purposes
Problem: Does not block web sites that use extensions
How about a slightly more How about a slightly more complex preference?complex preference?
Purposes “current” and “pseudo-analysis” are acceptable Purpose “individual-analysis” is also acceptable provided the
recipient is “ours”
Negating Logical Expressions…Negating Logical Expressions…
First, have to negate the expression (since we can’t specify what First, have to negate the expression (since we can’t specify what is acceptable).is acceptable).– Forall (current OR … OR ( … AND … ) => acceptForall (current OR … OR ( … AND … ) => accept
Becomes:Becomes:– Exists !(current AND … and ( … OR … ) => blockExists !(current AND … and ( … OR … ) => block
Parse Tree of Expression Parse Tree of Expression
Or
And
Purpose = “current”
Purpose = “pseudo-analysis”
Purpose = “individual-analysis”
Recipient = “ours”
Negated Parse Tree of Negated Parse Tree of Expression Expression
And
Or
Purpose != “current”
Purpose != “pseudo-analysis”
Purpose != “individual-analysis”
Recipient != “ours”
Parse Trees that can be Parse Trees that can be Expressed in APPELExpressed in APPEL
Statementconnective
Purposeconnective
Recipientconnective
current
Individual-analysis
Pseudo-analysis
ours
Logical expressions involving PURPOSE and RECIPIENT that can be
expressed as a single APPEL rule
Cannot express the desired condition as a
single rule
The condition can be expressed as multiple
rules, but the translation is no longer
a simple negation
Translation into APPELTranslation into APPEL
block )ours"" recipient analysis"-individual" purpose
(recipient purpose,
block )analysis"-individual" purpose analysis"-pseudo" purpose
current"" purpose ( purpose
Negations must be translated into enumerations
Recap: Problems With APPELRecap: Problems With APPEL
APPEL rules cannot be used to specify what is acceptable, only APPEL rules cannot be used to specify what is acceptable, only what is unacceptablewhat is unacceptable
Logical expressions involving simple combinations of purpose, Logical expressions involving simple combinations of purpose, recipient and data are hard to expressrecipient and data are hard to express– APPEL logical connectives are tied to the structure of a APPEL logical connectives are tied to the structure of a
policypolicy Writing APPEL preferences is error prone, even for expertsWriting APPEL preferences is error prone, even for experts
– Errors in the APPEL working draftErrors in the APPEL working draft
OutlineOutline
Overview of P3P and APPELOverview of P3P and APPEL Problems with APPELProblems with APPEL Can these problems be fixed?Can these problems be fixed? An XPath-based preference languageAn XPath-based preference language ConclusionConclusion
New OperatorsNew Operators
Enumeration of unacceptable choices Enumeration of unacceptable choices – Can APPEL be fixed by adding new operators?Can APPEL be fixed by adding new operators?
Any-except logical connectiveAny-except logical connective– True if any element in the policy is not listed as a subelement True if any element in the policy is not listed as a subelement
in the rulein the rule
Any-except Operator: Helps for Any-except Operator: Helps for Example 1, but not Example 2Example 1, but not Example 2
<appel:RULE behavior="block"> <POLICY> <STATEMENT> <PURPOSE appel:connective="any-except"> <current/><pseudo-analysis/> </PURPOSE> </STATEMENT> </POLICY> </appel:RULE>
Lists acceptable choices
Preferences involving logical operators over combinations of
purpose, recipient, and data are still a problem
Modify P3P to Fix APPEL?Modify P3P to Fix APPEL?
<appel:RULE behavior="request"> <POLICY> <STATEMENTS appel:connective="or-exact"> <STATEMENT> … … </STATEMENT> <STATEMENT> … … </STATEMENT> </STATEMENTS> </POLICY> </appel:RULE>
Add a STATEMENTS tag to P3P policies to specify acceptable
policies
P3P is a W3C Recommendation and therefore hard to change
Conditions over combinations of PURPOSE, RECIPIENT and DATA
remain hard to express
Summary: Can the problems be Summary: Can the problems be fixed?fixed?
Problems with APPEL are fundamental.Problems with APPEL are fundamental. Problems arise from the design choice to structure APPEL like Problems arise from the design choice to structure APPEL like
P3PP3P Fixing APPEL would essentially mean designing a new Fixing APPEL would essentially mean designing a new
language.language.
OutlineOutline
Overview of P3P and APPELOverview of P3P and APPEL Problems with APPELProblems with APPEL Can these problems be fixed?Can these problems be fixed? An XPath-based preference languageAn XPath-based preference language ConclusionConclusion
Language Design GoalsLanguage Design Goals
At least as expressive as APPELAt least as expressive as APPEL– APPEL designers investigated requirements for a preference APPEL designers investigated requirements for a preference
languagelanguage Use, if possible, an existing languageUse, if possible, an existing language
– P3P is specified in an XML formatP3P is specified in an XML format– XPath is a query language for XMLXPath is a query language for XML– XPath is a W3C Recommendation which is already used in a variety XPath is a W3C Recommendation which is already used in a variety
of available systemsof available systems– Benefits from the rigorous work done on the design of XPath syntax Benefits from the rigorous work done on the design of XPath syntax
and semanticsand semantics
XPrefXPref
Retain APPEL rule headsRetain APPEL rule heads Replace APPEL rule bodies with XPathReplace APPEL rule bodies with XPath
– Using a strict subset of XPath 1.0 necessary for expressing Using a strict subset of XPath 1.0 necessary for expressing preferencespreferences
– Adding the XPath 2.0 “every” quantified expression to Adding the XPath 2.0 “every” quantified expression to simplify expressing positive preferencessimplify expressing positive preferences
Negative Preferences in XPrefNegative Preferences in XPref
<RULESET> <RULE behavior="block“ condition="/POLICY/STATEMENT [ PURPOSE/*[ name(.) = "individual-analysis"] and RECIPIENT/* [ name(.) != "ours"] ]" /> <RULE behavior="request" condition="true"/></RULESET>
Block access to sites where the purpose is “individual-analysis” and the recipient is not “ours”
Positive Preferences in XPrefPositive Preferences in XPref
<RULESET> <RULE behavior="request“ condition="/POLICY [ every $pname in STATEMENT/PURPOSE/* satisfies (name($pname) = "current" or name($pname) = "pseudo-analysis") ]" /> <RULE behavior="block" condition="true"/></RULESET>
Access sites whose purposes for collecting information are strictly “current” or “pseudo-analysis”
Expressive PowerExpressive Power
Algorithm for converting APPEL to XPrefAlgorithm for converting APPEL to XPref
ConclusionConclusion
P3P is currently the only standard for expressing privacy policies P3P is currently the only standard for expressing privacy policies on the webon the web
To be successful, P3P needs a viable preference languageTo be successful, P3P needs a viable preference language XPref solves the problems of APPELXPref solves the problems of APPEL XPref is based upon XPath which is an existing and successful XPref is based upon XPath which is an existing and successful
standardstandard An algorithm which translates XPref into APPEL is given in the An algorithm which translates XPref into APPEL is given in the
paperpaper Next step: make XPref a W3C recommendationNext step: make XPref a W3C recommendation
Policy-Preference MatchingPolicy-Preference Matching
Web ServerBrowser
request policy1
send policy2
request web page if policy conforms to preference
5
policy and user preference3
result of matching4
APPEL Engine
P3P AdoptionP3P Adoption
YearYear Sites posting P3P policies amongSites posting P3P policies among
100 most popular sites100 most popular sites
19981998 45%45%
19991999 85%85%
20002000 97%97%
20012001 99%99%