Specifying Personal Privacy Policies to Avoid Unexpected Outcomes

George Yee and Larry Korba{George.Yee, Larry.Korba}@nrc.ca

PST 2005October 12-14, 2005

Overview

• Introduction

• Privacy policies and e-services

• Unexpected outcomes

• Preventing unexpected outcomes

• Conclusions and future research

Introduction

• Drivers for personal privacy policies– Growth of the Internet

• greater consumer exposure to e-services • growth of consumer awareness to lack of privacy

– Privacy legislation• greater consumer awareness of privacy rights

• Privacy policies on the Internet– Posted privacy policies– P3P privacy policies for web sites

• Browser plug-in allows checking of personal privacy preferences against web site’s policy

• “Privacy Bird”: check preferences, display policy in easy to understand language, customizable warnings

Privacy policies and e-services

Consumer privacy policy • Necessary content implied by

privacy legislation (minimal policy)

• Simple so that it can be understood by the average e-service consumer

• Machine processable, e.g. using XML-based language such as APPEL

Provider has its own policy

Policy Use: E-learningOwner: Alice ConsumerProxy: NoValid: unlimited

Collector: AnyWhat: name, address, telPurposes: identificationRetention Time: unlimitedDisclose-To: none

Collector: AnyWhat: Course MarksPurposes: RecordsRetention Time: 2 yearsDisclose-To: none

{

{

{

Header

Privacy Rule

Privacy Rule

Privacy policies and e-services

• Privacy Management Model– Consumer & provider each have a privacy policy– Prior to engaging a service,

• privacy policies are exchanged between consumer and provider to see if they match

– Provider requests private data according to it’s privacy policy– Consumer may resist any privacy reduction

• may only be willing to provide private data according to her preferences

– A match between policies occurs if in the respective policies,

Otherwise, there is a mismatch.

privacy reduction allowed by consumer ≥

privacy reduction required by provider

Privacy policies and e-services

• Policy mechanics– A privacy policy is considered upgraded (downgraded) if the new

version represents more (less) privacy than the prior version. – Where time is involved, a private item held for less time is

considered more private*.

*as long as it is thoroughly expunged!

Unexpected outcomes

• Interested in outcomes from the matching of privacy policies arising from:– How the match was obtained– Matching policy content

• Outcomes: How the matching was obtained:– A match may have been obtained through an upgrade/downgrade

(during negotiation)• Upgrade: provider required too much user privacy reduction;

provider upgrades its policy (more privacy via less private data)

Unexpected outcome: private data left out may lead to extra costs, e.g. leaving out credit card requirement leads to more

costly means of payment

Unexpected outcomes

• Downgrade: mismatch due to consumer policy allowing too little privacy reduction so consumer downgrades her policy (less privacy) to give more private data to the provider

• More examples in paper…

Unexpected outcome: extra private data leads to provider needing to put more costly data protection safeguards in place, e.g. highly

sensitive health information

Preventing unexpected negative outcomes:

• Need “well-formed” policies

Definition 1: Unexpected negative outcome The use/development of privacy policies such that

a) the outcome is unexpected by both provider and consumer, and

b) the outcome leads to either provider and/or consumer experiencing some loss, which could be private information, money, time, convenience, job, etc., including serious losses.

Preventing unexpected outcomes

Definition 2: A well-formed (WF) privacy policy (for either consumer or provider) is one that does not lead to unexpected negative outcomes.

Definition 3: A near well-formed (NWF) privacy policy is one in which the attributes valid, collector, retention time, and disclose-to have each been considered against all known misspecifications that can lead to unexpected negative outcomes.

• A NWF privacy policy is the best that we can achieve at this time– No guarantee unexpected negative outcomes will not occur – Reduces the probability that they will occur.

Preventing: Some Rules

• Rule for Valid:

Time period must be >= longest retention time.

(There is always a consumer privacy policy governing the consumer information.)

Preventing: Some Rules

• Rule for Collector: Availability of the individual to receive the information

must be considered.

Preventing: Some Rules

• Rule for Retention Time: Consequences of the retention time expiration (provider

destroys corresponding information) must be considered. – If the consequences do not lead to unexpected

negative outcomes, proceed to specify the desired time. Otherwise, or if there is doubt, specify the length of time the service will be used.

Preventing: Some Rules

• Rule for Disclose-To:

Consequences of successive propagation of your information starting with the first party mentioned in the Disclose-To must be considered. – If the consequences do not lead to unexpected

negative outcomes, proceed with the specification of the Disclose-To party or parties. Otherwise, or if there is doubt, specify “none” or “name of receiving party, no further”.

Preventing unexpected outcomes:Approach

• Incorporate the above rules when specifying initial policy– Use an automatic or semi-automatic specification method

(e.g. G. Yee and L. Korba, “Semi-Automated Derivation of Personal Privacy Policies”, Proceedings, The IRMA International Conference 2004 (IRMA 2004), New Orleans, May 23-26, 2004.)

– Rules application may employ a combination of artificial intelligence and user/provider query/response techniques to appreciate consequences.

– Apply rules during manual policy specification employing a tool for exploring possible consequences.

Preventing unexpected outcomes

• Use privacy policy negotiation where NWF policies from initial specification do not match:

• Avoid undoing NWF-ness from initial specification; upgrades and downgrades may inadvertently undo the NWF-ness.

• Take advantage of negotiation to expose a needed application of the above rules.

• Paper provides examples

Summary

• Summary– Unexpected outcomes can arise from matching of privacy

policies– Proposed an approach using near-well-formed policies to

minimize unexpected negative outcomes

• Approach will work for other privacy policy formulations– Privacy policy formulations

• Must conform to privacy legislation• Therefore they do not differ substantially• our approach is a minimal policy that conforms.

Conclusions and future research

• Further research:– Explore further unexpected negative outcomes – Tools for consequences exploration– Other methods for avoiding or mitigating unexpected

negative outcomes– Implement the proposed approach (extend current

prototype)– Application in other areas: security risk analysis

Thank-you

Preventing unexpected outcomes

Nursing Online (Provider) Alice (Consumer)

OK if a nurse on our staff be told your medical condition?

No, only Dr. Alexander Smith can be told my medical condition.

We cannot provide you with any nursing service unless we know your medical condition.

OK, I’ll see Dr. Smith instead.

You are putting yourself at risk. What if you need emergency medical help for your condition and Dr. Smith is not available?

You are right. Do you have any doctors on staff?

Yes, we always have doctors on call. OK to allow them to know your medical condition?

That is acceptable. I will modify my privacy policy to share my medical condition with your doctors on call.

Example negotiation (read from left to right, top to bottom):

Negotiation guides the application of the rule for collector, preventing the unexpected outcome that Alice will be left with no medical help.