Presentation overview Introduction to automated privacy and Identity management. Ontologies: What...
-
Upload
peter-bennett -
Category
Documents
-
view
217 -
download
3
Transcript of Presentation overview Introduction to automated privacy and Identity management. Ontologies: What...
Presentation overview• Introduction to automated privacy and Identity
management.
• Ontologies: What they are, how they can help
• Conceptual Mediation: Lawyers, Users, Businesses
• Ontologies and reasoning: Anonymizing access control
• Reasoning in Access Control Demo
Example XML Statement in P3P Policy
<STATEMENT> <PURPOSE>
<admin/><develop/><pseudo-decision/>
</PURPOSE>
<RECIPIENT><ours/>
</RECIPIENT>
<RETENTION><indefinitely/>
</RETENTION>
<DATA-GROUP> <DATA ref="#dynamic.cookies">
<CATEGORIES><preference/><navigation/>
</CATEGORIES> </DATA>
</DATA-GROUP> </STATEMENT>
Example P3P Rule
<appel:RULE behavior="block" description="Site sets cookies which are used beyond what is required for stated purpose"><p3p:POLICY>
<p3p:STATEMENT><p3p:RETENTION appel:connective="non-and">
<p3p:stated-purpose/></p3p:RETENTION></p3p:STATEMENT>
</p3p:POLICY></appel:RULE>
Automating Privacy Protection: Scenario 2: Enterprise Architecture
Privacy Based Access Policies
Security Policies
Privacy Layer
Security Layer
Data Flow
Ontology
GUIRules & Rule
Engine
Scenario 3:Automated Identity Management
Single Sign On
Access Control
Personalization
Management
Directory Services
Workflow Automation
Policies & Profiles
Delegated Administration
APPLICATIONS FRAMEWORK
USERS
Automated Identity Management Based on Credentials
Single Sign On
Access Control
Personalization
Management
Directory Services
Workflow Automation
Policies & Profiles
Delegated Administration
APPLICATIONS FRAMEWORK
Tokens/Credentials
User
XML based policies describe
• Business practices (Enterprise Policies)
• User preferences
• Obligations
• Access conditions
• Audit logs
Automated Privacy – Stakeholders
• End UsersE.g. My mother• Law enforcement E.g. Police, Data Protection Authorities,Article 29 Working group• Business Privacy Concerns Cost eCommerce $15 Billion a yr – Forrester Research• Application developersE.g. Browser developers, EPALimplementations
4 Key Problems1. Each group of stakeholders speaks a completely different
language– E.g. Many users have never heard of identity management, they just
want to sign onto multiple web sites.
2. Enterprises need to be user friendly, but at the same time control liability.
3. Existing languages are not expressive or extensible enough to model all aspects of data protection.
4. The law says you should only collect the minimum data required to carry out the service. BUT - How to work out the minimum data required? Applications are not yet intelligent enough to know what to ask for.
Ontologies
Ornithology: the study of birds
Oncology: the study of cancer
Onychology: study of fingernails
and toenails.
Ontology: a formal, machine readable
specification of terms and their
relationships in a specific domain.
.
How Ontologies can Help Automated Privacy and IDM• Machine readable description of concepts
and relationships between – Data Protection Law– User-metaphors– Enterprise business rules– Application logic
Can translate between legal-ese, user-ese, business-ese and java/c++:
Ontology
Rule Systems
Program Logic
Developers
End-Users
Legal
Alignment of Legal, User and Technical Models
Enterprise
How Ontologies can Help Automated Privacy and IDM
• Richly Expressive, Precise and Interoperable policy languages
• Reasoning capabilities more powerful policy evaluation:– e.g. To figure out what is the minimum data
required, to accept flexible credentials.
• Standard language used in user interfaces so businesses can trust policy translations
How Ontologies can Help Automated Privacy and IDM
• Extensible to include other ontologies (e.g. geographical ontology for location based services)
• Language independence (privacy riservatezza)
• Separate Business Logic, Conceptual Models and Program Logic more efficient development
Description LogicsAre languages for describing concepts, and
their properties and relations. E.g.
- OWL (W3C Standard)
- RDFS (W3C Standard)
- DAML+OIL (www.daml.org)
Knowledge Base
(e.g. Privacy Policy)
SemanticsSemantics specify the connection between terms (names) and concepts
(meaning) (see e.g. Fodor, Chomsky, RDF Semantics:http://www.w3.org/TR/rdf-mt/)
What is an ontology?Description Logics describe:
- Concepts Classes and Subclasses- E.g. Data, health data, data controller
- Properties Describe features and attributes- E.g. is Collected by
- Restrictions on Properties and Concepts- E.g. If a person is Italian and has a driving license, they are over 18, - health Data is a subclass of Data
RDF• OWL uses RDF – a graph description language
which is very well suited to describing concepts• Based on a very simple graph modelling language
(The core RDF specification only 2-3 pages long!)• "Triple" - a statement
• [Subject - Predicate – Object][Religious data – is of type – Sensitive Data]• RDF (in contrast to XML) can describe arbitrarily
complex statements and relationships.
http://www.prime-project.eu.org/dpontology/religiondatatype Sensitive Data
Is in category
OWL uses RDF to describe relationships between concepts
Sensitive Data
AddressReligionEmail
Data Controller
Subclass of
1
Number ofMust specify
Related/Unrelated
Subject
Data
Collects
AboutContact Data
Subclass of
Policies are expressed in RDF (but XML may also be used for backward compatibility)
Via Enrico Fermi
Contact details of
Data Controller
http://p3p.jrc.it/form.php* Data Object
Is in category
Data SubjectPerformed By
Transfers
Third Party Marketing
Purpose of
Is in category
Street Name
How ontologies standardize application semantics
Via Enrico Fermi
Contact details of
Data Controller
http://p3p.jrc.it/form.php* Data Object
Is in category
Data Transfer Event
Performed By
Transfers
Third Party Marketing
Purpose of
Is in category
Street Name
DP Ontology Based on P3P Data Typing Ontology Based on P3P
Ontology Development Tools: Java Libraries
• Jena, developed by HP labs, provides a complete suite of Java tools for processing RDF, OWL, and reasoning using OWL and prolog style rules.
• Downloadable from http://jena.sourceforge.net
Ontology Capture Processes• The most important factor in the success of an
ontology • Methodologies:• Each concept is defined by a traceable and
repeatable process.• Text analysis: Automated or semi-automated
analysis of key documents (e.g. legislation)• Interviews and group exercises (e.g. Legal modelling)• Conflict resolution methodologies – describe and
resolve situations where groups disagree.• Alignment of different ontologies covering similar
domains.
Formal and Informal Ontologies
• XML languages such as P3P and XACML are Informal Ontologies
-Semantics of terms is informally definedE.g. P3P: <p3p:purpose>
<p3p:ours/></p3p:purpose>= current purpose with human readable definition-XML:not a rigorous or complete framework for semantics but has a high adoption level
• Informal ontologies represent a huge body of work towards conceptual consensus.
Example Scenarios for Privacy and IDM
• Conceptual mediation between users, lawyers and businesses
• Access control: credential reasoning
• Demo
Users
• Need to– Specify Preferences– Receive Warnings– Understand policies
• UsingSimple metaphors –
e.g. town/house metaphor
Lawyers• Need to
– Ensure that business policies are compliant with legislation
– Ensure that users have preferences that are compliant with the law.
– Provide tools for businesses for checking legal compliance.
• Using
Precise, unambiguous language
Enterprises
• Need to– Create privacy policies– Enforce privacy policies– Communicate good
practice to users– Collect and store consent– Protect against liabilities
• Using
Precise, unambiguous business-process concepts
Application developers
• Need to– Implement enterprise
policies consistently– Implement user
preferences– Translate user metaphors
into real practise– Easily updateable
applications• UsingPragmatic:Java/C++/
UML/Prolog
String rules = "[(?d rdf:type eg:studentdoctor) (?n rdf:type eg:nurse) ->(?d eg:superiorTo ?n) (?n eg:subordinateTo ?d)]"; rules +="[(?d rdf:type eg:surgeon) (?n rdf:type eg:studentdoctor) ->(?d eg:superiorTo ?n) (?n eg:subordinateTo ?d)]"; rules +="[(?d eg:canShowCredential eg:drivinglicense) -> (?d eg:hasAge ?n) (?n eg:greaterThan 18)]";
Example 1
Policy states:• Company X• DISCLOSES data about EMAIL ADDRESS• To UNRELATED THIRD PARTIES• Without CONSENT
• Ontology + Rules can then translate this into descriptions and actions which are appropriate to the context:
Example 1 :Conceptual Alignment
Data which might lead to spam
EMAIL ADDRESS Sensitive Data
USERS APPLICATION REGULATORS
Example 1:Conceptual Alignment
I ticked a box Consent Consent to data processing
USERS APPLICATIONS REGULATORS
Example 1:Conceptual Alignment
Remember my details
Cookies Clickstream data
USERS APPLICATIONS REGULATORS
Example 1:Conceptual Alignment
Private Information
religion
Sensitive Data
USERS APPLICATIONS REGULATORS
Medical data
Criminal record
Example 1: the same concepts in the policy are translated by the rules:
Users:• Display a warning in language users can understand, “Warning – submitting this form could cause Spam”Lawyers:• Alert service about illegal practicesApplication:• Don’t submit any data to this company – or create a
pseudonymous email address.• Warn policy creator of illegal practices (E.g. JRC Policy Editor)Business:• Change data handling practices (E.g. display legal language to
users e.g. for collecting consent)
Architectural note:• All this can be done with programme logic.
• BUT: if you encode this knowledge in an ontology (e.g. email-address leads to spam), you can
• reuse it
• share it
• standardize it.
• Put it under the control of the stakeholders.
Ontologies Reasoning for Access Control
• Access control applications need to be able to minimize the information required to authenticate an access request.
• E.g. instead of asking for my age to access a service (e.g. gambling service), it could check whether I can prove I have a driving license.
Example 2: Anonymizing access control
• I want to access a service, but I do not want to reveal my age.
• The service however, needs to know that I am over 18 to satisfy legal requirements.
• The service already knows that I have a driving license
Example 2: anonymizing access control
Suppose the service has access to an ontology which contains (e.g.) the following concepts and relationships:
• Concepts:– DRIVERS LICENSE– CREDENTIAL– PERSON
• Properties:– HOLDS CRENDENTIAL (can exist between Persons and
Credentials – e.g. Giles Hogben Holds a British Passport)– HAS AGE (can exist between Persons and integers – e.g. Giles
Hogben HAS AGE XXXX(X is an integer) )• Restrictions:
– If a Person HOLDS CREDENTIAL a DRIVERS LICENSE that person HAS AGE age > 18
Example 2
• Using the above Ontology, the access control application can allow me access, without asking me what my age is, because it can deduce what it needs to know from the fact that I have a driving license.
Example 3: anonymizing access control
• I am a doctor and I want to access the medical records of a certain patient.
• In order to have access, I must be a health professional with grade superior to a nurse.
• I can present a credential which certifies that I am a surgeon
Example 3: anonymizing access control
Suppose the service has access to an ontology which contains (e.g.) the following concepts and relationships:
• Concepts:– StudentDoctor (is a doctor)– Surgeon (is a doctor)– Nurse (is a Health Professional)– Doctor (is a Health Professional)– Health Professional
• Properties:– SuperiorTo (can exist between Persons)
• Restrictions: – SuperiorTo is Transitive(i.e. if x SuperiorTo y and y SuperiorTo z then x SuperiorTo z)– Student Doctors are Superior to Nurses– Surgeons are Superior to Student Doctors
Example 3
Using the above ontology and only the fact that I can prove I am a surgeon, the application can allow me access to the patient’s records
See Java App
What do these examples show?
• Ontologies can translate between different views of the world – i.e. users, lawyers, enterprises and developers.
• Flexible use of credentials and easy reasoning
E.g. Ability to allow credential with greater anonymity.
Further developed ontology could make
judgements about level of anonymity of a
credential to select the most anonymous one.
Ontology based architecture
• Policy contains data specific to the individual or enterprise (may also contain rules)
• Ontology defines general concepts and relationships• Application Logic contains generic rules• All 3 may contain rules• Ontologies are Rules which are valid for the whole domain (e.g.
one controller per data collection act) and rules which are specific to the enterprise
Policy
OntologyApplication Logic
Ontologies and XML
XMLProvides informal ontological semantics (e.g. tag nesting==sub-
classing etc…)Existing software can parse and search XMLEasy for the techie to be readMany informal ontologies exist in XML (e.g. P3P)Not all ontological concepts can be expressed (e.g.Sameindividualas, disjointwith, complementOf etc…)No formal semanticsNot suited to reasoning
OWL/RDF (became W3C Official Spec on Feb 10th)Much Richer Syntax (e.g. disjoint, complete, sameas etc…)Formal Semantics – more suited to reasoningAlmost impossible to read by eye even for techies.No parsers incorporated in current software