Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.:...
Transcript of Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.:...
![Page 1: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/1.jpg)
Privacy Negotiationswith P3P
W3C Privacy Workshop17.10.2006, IspraSören Preibusch
![Page 2: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/2.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 2
Overcoming current drawbacks
staticprivacypolicy
one size fits all
take it or leave it
ex ante
individually agreed
compensation
ad hoc
negotiatedprivacy
contracts
![Page 3: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/3.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 3
Existing Privacy Languages
– Privacy Preference Languages• APPEL, XPref
– Data Handling Descriptions• P3P
– Organizational Guidelines / Rules • EPAL
User
User / Provider
Provider
![Page 4: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/4.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 4
Privacy Negotiations
– Two parties:• service provider
• service user / requestor
– P3P describes data handling at the user/provider interface
– Preference languages support the negotiations– Rules enforce the negotiated contract
![Page 5: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/5.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 5
Privacy Negotiations at a glance
– Service Provider and Customers individually negotiate the data handling practices• the customer gets a compensation for disclosure, e.g. rebate
• each possible tuple (data, rebate) is a different contract
– Privacy Dimensions span the Data Space• for each dimension, different revelation levels exist
• revelation thresholds indicate a minimum revelation level
![Page 6: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/6.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 6
Negotiation design
– Unit of analysis:• P3P statement
– Negotiable attributes:• Privacy dimensions of a statement
– Integrative negotiations:• Offers are alternative statements
![Page 7: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/7.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 7
Privacy Dimensions in P3P
– P3P top level Privacy Dimensions• Recipient• Purpose• Retention• Data
– Non-negotiable P3P elements• Consequence• meta-information
![Page 8: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/8.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 8
Extending P3P
– Extending the Policy Reference File (PRF)• only compatible browsers find negotiable policies
– Extending P3P Policies• multiple alternative statements
– Semantic equivalence• between one negotiable policy and multiple standard policies• backward compatibility
![Page 9: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/9.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 9
The new P3P elements
– Two elements added as extensions• NEGOTIATION-GROUP-DEF• NEGOTIATION-GROUP
– Comparable to the existing tandem• STATEMENT-GROUP-DEF• STATEMENT-GROUP
– Seamless extension
![Page 10: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/10.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 10
Negotiable P3P Policy
– NEGOTIATION-GROUP-DEF• defines an abstract pool of alternative usage scenarios
- e.g.: “newsletter format”• different statements correspond to different usage alternatives
– NEGOTIATION-GROUP• indicates pool membership of a given statement• the statement specifies the details of the usage alternative
![Page 11: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/11.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 11
Example of a negotiable P3P Policy
negotiableprivacy policy
NEGOTIATION-GROUP-DEFid="newsletter"
P3P Policy
NEGOTIATION-GROUPid="newsletter_generic"
groupid="newsletter"
negotiationalternatives
NEGOTIATION-GROUPid="newsletter_personalized"
groupid="newsletter"
P3P Statement
P3P Statement
![Page 12: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/12.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 12
Example of a negotiable P3P Policy
<POLICY> <EXTENSION optional="no"> <PRINT:NEGOTIATION-GROUP-DEF id="newsletter“ standard="newsletter_personalized"
fallback="newsletter_generic" selected="newsletter_personalized“ /> <EXTENSION />
<STATEMENT> <EXTENSION optional="no"><PRINT:NEGOTIATION-GROUP id="newsletter_generic" groupid="newsletter"
serviceuri="/services/newsletter/unpersonalized“ benefits="You get a standardnewsletter and no personal data is collected." /> </EXTENSION> …
<DATA-GROUP> <DATA ref="#user.home-info.online.email"/> </DATA-GROUP></STATEMENT>
<STATEMENT> <EXTENSION optional="no"><PRINT:NEGOTIATION-GROUP id="newsletter_personalized" groupid="newsletter"
serviceuri="/services/newsletter/personalized" benefits="You get a personalized newsletter, promoting only the products you are interested in." /> </EXTENSION> …
<DATA-GROUP><DATA ref="#user.home-info.online.email"/><DATA ref="#dynamic.miscdata> <CATEGORIES><preference/></CATEGORIES> </DATA></DATA-GROUP>
</STATEMENT> </POLICY>
![Page 13: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/13.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 13
Example of a negotiable P3P Policy
<POLICY> <EXTENSION optional="no"> <PRINT:NEGOTIATION-GROUP-DEF id="newsletter" standard="newsletter_personalized"
fallback="newsletter_generic" selected="newsletter_personalized“ /> <EXTENSION />
<STATEMENT> <EXTENSION optional="no"><PRINT:NEGOTIATION-GROUP id="newsletter_generic" groupid="newsletter"
serviceuri="/services/newsletter/unpersonalized“ benefits="You get a standardnewsletter and no personal data is collected." /> </EXTENSION> …
<DATA-GROUP> <DATA ref="#user.home-info.online.email"/> </DATA-GROUP></STATEMENT>
<STATEMENT> <EXTENSION optional="no"><PRINT:NEGOTIATION-GROUP id="newsletter_personalized" groupid="newsletter"
serviceuri="/services/newsletter/personalized" benefits="You get a personalized newsletter, promoting only the products you are interested in." /> </EXTENSION> …
<DATA-GROUP><DATA ref="#user.home-info.online.email"/><DATA ref="#dynamic.miscdata> <CATEGORIES><preference/></CATEGORIES> </DATA></DATA-GROUP>
</STATEMENT> </POLICY>
![Page 14: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/14.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 14
Example of a negotiable P3P Policy
<POLICY> <EXTENSION optional="no"> <PRINT:NEGOTIATION-GROUP-DEF id="newsletter" standard="newsletter_personalized"
fallback="newsletter_generic" selected="newsletter_personalized“ /> <EXTENSION />
<STATEMENT> <EXTENSION optional="no"><PRINT:NEGOTIATION-GROUP id="newsletter_generic" groupid="newsletter"
serviceuri="/services/newsletter/unpersonalized" benefits="You get a standardnewsletter and no personal data is collected." /> </EXTENSION> …
<DATA-GROUP> <DATA ref="#user.home-info.online.email"/> </DATA-GROUP></STATEMENT>
<STATEMENT> <EXTENSION optional="no"><PRINT:NEGOTIATION-GROUP id="newsletter_personalized" groupid="newsletter"
serviceuri="/services/newsletter/personalized" benefits="You get a personalized newsletter, promoting only the products you are interested in." /> </EXTENSION> …
<DATA-GROUP><DATA ref="#user.home-info.online.email"/><DATA ref="#dynamic.miscdata> <CATEGORIES><preference/></CATEGORIES> </DATA></DATA-GROUP>
</STATEMENT> </POLICY>
![Page 15: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/15.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 15
Design Principles
– lightweight extension
– no policy-exchange protocolbut acknowledgement by URI-retrieval
– full backward compatibility
– negotiations can be realized in “safe zone”
![Page 16: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/16.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 16
Presenting all alternatives at once
– P3P principle: “choice and control”
– informed consent based on all alternatives
– facilitate negotiation support systems
– secret policies may be overt byrepeated transactions
– economic considerations
![Page 17: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/17.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 17
Another application:substitutive data types
0 C CZS
0
C
CZS
office address
home address
![Page 18: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/18.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 18
Another application:substitutive data types
0 C CZS
0
C
CZS
office address
home address
![Page 19: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/19.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 19
Another application:substitutive data types
0 C CZS
0
C
CZS
office address
home address
R2
R1
R1
![Page 20: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/20.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 20
Another application:substitutive data types
0 C CZS
0
C
CZS
office address
home address
R2 marginally concerned
R1 profile averse
R1 identity concerned
![Page 21: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/21.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 24
Status and Future Work
– XML schema definitions available• for extended Policy Reference File and P3P Policies• XSLT for backward transformation• example files
– sound economic background
– software support• browser integration• authoring tools and deployment tools
– experiments on user behaviour
![Page 22: Privacy Negotiations with P3P• defines an abstract pool of alternative usage scenarios - e.g.: “newsletter format” • different statements correspond to different usage alternatives](https://reader034.fdocuments.us/reader034/viewer/2022051603/5fef966483ae7e32d0236728/html5/thumbnails/22.jpg)
W3C Privacy Workshop – 17.10.2006Sören Preibusch 25
Thank you!
– Sören Preibusch
German Institute for Economic Research(DIW Berlin)
Königin-Luise-Str. 514195 Berlin, Germany
– http://preibusch.de/publ