part 5 enterprise privacy policies
Post on 12-Jan-2016
26 Views
Preview:
DESCRIPTION
TRANSCRIPT
IBM Zurich Research Lab
© 2004 IBM Corporation
PART 5Enterprise Privacy Policies
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Motivation
Your personal data will Your personal data will be handled with carebe handled with care
??????
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Consumers are concerned about privacy $15B in e-commerce lost in 2001(27% of projected revenues for 2001)
50%+ extremely/very concerned about online privacy, 30% somewhat concerned
37% current online consumers would buy more if not worried about privacy
34% internet users who don't buy online would start if privacy concerns addressed
Only 6% think benefits of giving up personal information outweigh privacy concernsSource of survey data: Forrester 10/2001
... and are taking action
78% say have refused to give information to a business because too personal or not really needed (42% in 1990)
80% rate privacy protection of consumer information as important in their selection of companies to patronize
Almost 50% believe they have personally been the victim of a consumer privacy invasion
Source of survey data: PCG and Louis Harris poll
Security
Privacy
Untimely Delivery
Unavailable Item
Difficult Purchase
0 10 20 30 40 50 60
Why consumers don't buy online
54%
52%
20%
13%
11%
Source: ZD Market Intelligence, 1999
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Focus on Enterprise Privacy Technologies
Privacy-enhancing Infrastructure
ClientOrganization
Privacy-enhancing Infrastructure
Client-side PETs to ƒminimize data disclosedƒ filter data receivedƒkeep track of dataƒcontrol multiple identitiesƒ ...
Infrastructure PETs toƒhide relationsƒunlinkable credentialsƒMixesƒ ...
What happens to the data once disclosed?
How to enable businesses to work with pseudonyms?
How to authenticate and authorize, relative to a pseudonym?
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Life-Cycle of Personal Data
Subjector Guardianor Authority
4. Anonymized use
give consentupdateaccesswithdraw consent
3. Depersonalized use
anonymizerelease
2. Personalized use
disclose
utilize
delete
repersonalize depersonalize
form = data + rules
Law, regulations, privacy agreements, preferences, consent
Data Subject
notify
Rules
Rules
authorization, obligation
request ...
1a. Collection
1b. Control
Data User
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Motivation
Enterprise privacy policies and their enforcement are a fundamental issue in practice:
► Reflect different legal regulations► Used to capture promises made to customers► More restrictive internal practices► Incorporating customer preferences
Privacy policies may be authored, maintained, and audited in a distributed fashion
Important task is to provide tools for such management of enterprise privacy policies
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Motivation
Policy refinement
► Roughly, one policy refines another if using the first policy automatically also fulfills the second one.
► Refinement as the central notion for many situations in policy management, e.g., checking whether an enterprise policy adheres to legal regulations
Policy composition
► Notion of constructively combining two policies
► Several notions exist for different purposes:
Mandatory sub-policies
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Outline
1.The Platform for Enterprise Privacy Policies (E-P3P)
2.A Toolkit for Managing E-P3P Enterprise Privacy Policies
3.Summary
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
E-P3P/EPAL
Vocabulary defines scope:►Data, users, and purposes as hierarchies►Operations, obligations as lists
Rules authorize access: A [user] should be [allowed or denied] the ability to perform [action] on [data] for [purpose] under [condition] yielding an [obligation].
Example: "Email can be used for the book-of-the-month club if consent has been given and age is more than 13":
default ruling: allow, deny, don’t care
Data-UserOperation
Condition
Purpose
Obligation
DataDataCategoryCategory
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
EPAL policy - a list of rules, sorted by priority
► Elements of a rule
• user u1, u2, … e.g., “borderless-books”
• action a1, a2, … e.g., “read”
• for purpose p1, p2, … e.g., “book-of-the-month-club”
• on data d1, d2, … e.g., “email”
• under condition c1, c2, … e.g., “age >= 18“
• yielding decision r1, r2, … e.g., “allow”
• and an obligation o1, o2, … e.g., “write audit”
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Policy maps any well-defined authorization request(user, action, purpose, data, variable assignment)
to decision {allow, deny, don’t care} + obligations
Completion of rule set through inheritance► allow inherits down along hierarchies, deny inherits up and down
Check rules in given order for applicability► rule covers request directly / by inheritance ► condition/s are satisfied
(More sophisticated issue: Incomplete variable assignments:
• If a deny-rule could still apply, then we let it apply
• If an allow-rule may not apply, then we let it not apply )
Decision► First applicable deny/allow-rule decides + take rule’s obligation/s ► If there is none then take default ruling
Semantics of EPAL: Authorization
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Outline
1.The Platform for Enterprise Privacy Policies (E-P3P)
2.A Toolkit for Managing E-P3P Enterprise Privacy Policies
3.Summary
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Summary of Tools in the Toolbox Policy refinement for comparing policies
► A policy refines another if using the first policy automatically also satisfies the second one.
► Central notion in policy management: compliance with legal regulations
The main tool is policy composition
► Notion of constructively combining two policies
► For different purposes, several notions existAND, OR, Ordered Composition
► Operators collected in an algebraic structure together with results about the relationship between composition and refinement
Mandatory sub-policies
P1 < P2
P1 & P2
P1 + P2
<P1 P2
M1 D1
P1 P2
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Policy Refinement
Refinement intuitively means to add details to an existing policy while preserving the original privacy statements:
► Ruling: Whenever the original policy allows (denies) a request, the refined policy also allows (denies) the request.
► Obligation: Fulfillment of the refined obligations implies fulfillment of the original obligations for every request.
(u, a, d, p, ass)
(r1, o1) (r2, o2)
P1 P2<
r1 refines r2 and o1 refines o2
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Policy Refinement
What does it mean that r1 refines r2 (r1 < r2) ?
► If r2 {deny, allow} then r1 = r2
(weak form also: r2 = allow and r1 = deny)
► If r2 = out-of-scope then r1 can be arbitrary
► If r2 = don’t care then r1 {deny, allow, don’t care}
Meaning of “o1 refines o2” slightly more complicated
Simply using o1 => o2 not suited, e.g., P1: o1 = “delete now”, o = “delete in a day” with o1 => o
P2: o = “delete in a day”, o2 = “delete in a week” with o => o2
Now “o1 refines o2” if thereexists o O1 O2 such that o1 => o => o2
o1
o o2
P1P2
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Algebra for Policy Composition and Refinement
Policy Composition: Notion of constructively combining two policies
Collection of composition operators that are shown to work together in intuitively meaningful ways
► Ordered Composition: Master / Slave composition:► Logical composition: Build the conjunction or the disjunction of two
policies► Scoping Operation: Restrict a policy to sub-scope
Show suitable relations among these operators, e.g., distributivity, associativity, refinement relations etc.
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Ordered Composition
Master / Slave Composition
Achievable by precedence shift + some tedious details (dealing with out-of-scope errors, default rulings, etc.)
Advantage: Ordered composition always refines Master!
P1
P2High
PrecedenceP2
P1
<
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Logical Composition (AND)
AND-Composition: Design a new policy that behaves as the conjunction
P3 defined semantically as follows from the following equivalence class:If P1 (r1,o1) and P2 (r2,o2) then P3 (r1,o1) AND (r2,o2) = (r1 AND r2, o1 o2)
Very useful in practice (take all applicable legal regulations and combine them into one policy possible with customer preferences, existing sticky policies etc.)
Main Question: Does such a policy P3 always exist?
P1 P2 P3&
No!
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Excurse: Expressiveness of E-P3P
Let P be a policy, q a request, and an assignment on the variables in P. Then we have
1.eval(P,q,) = (+,o) q* < q: eval(P,q*,) = (+,o*)
2.eval(P,q,) = (-,o) q* > q: eval(P,q*,) = (-,o*)
3.eval(P,q,) = (-,o) (1 out of the following three cond. holds)
1. q is a leaf.
2. q* < q: eval(P,q*,) = (+,o*)
3. q* < q: eval(P,q*,) = (-,o*) with o = o*
4.eval(P,q,) = (don’t care,o) o =
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Well-founded E-P3P Policies
AND/OR-Composition not possible for all E-P3P policies!
Main inherent Problem:Rules of parent element might not be related to rules of the children
Possible solution: Consider only those policies in which rules of parent elements are determined by rules of their children well-founded policies
For well-founded policies, AND/OR – composition is well-defined
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Basic Algebraic Results (well-founded EPAL)
Idempotency: P1 & P1 P1 P1 + P1 P1
Commutativity: P1 & P2 P2 & P1 P1 + P2 P2 + P1
Associativity: (P1 & P2) & P3 P1 & (P2 & P3) (P1 + P2) + P3 P1 + (P2 + P3)
Distributivity: P1 + (P2 & P3) (P1 + P3) & (P1 + P3) P1 & (P2 + P3) (P1 & P2) + (P1 & P3)
Strong Absorption: P1 + (P1 & P2) < P1 but not P1 & (P1 + P2) < P1
Legend:
= Ordered
composition
”+” = OR
“&” = AND
“” = equivalence
“<“ = refinement
<
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Advanced Algebraic Results (well-founded EPAL)
Multiplicative Refinement (conjunction is stricter than both policies):
► P1 & P2 < P1
► P1 & P2 < P2
Additive Refinement (each policy is at least as strict as the disjunction):
► P1 P1 + P2
► P2 P1 + P2
Master / Slave Refinement: ► P1 P2 < P1
Operator Refinement:► P1 & P2 P1 P2 P1 + P2<
<
Legend:
= Ordered
composition
”+” = OR
“&” = AND
“” = equivalence
“<“ = refinement
“<“ = weak refinement
<
<
<
<
<
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Outline
1.The Platform for Enterprise Privacy Policies (E-P3P)
2.A Toolkit for Managing E-P3P Enterprise Privacy Policies
3.Summary
IBM Zurich Research Lab
A Toolkit for Managing Enterprise Privacy Policies © 2004 IBM Corporation
Toolkit for maintaining, authoring, and auditing enterprise privacy languages
Mainly driven by real-life demands on privacy policies, we have introduced the following:
► The notion of refinement between privacy policies as the central notion of almost any operation on privacy policies
► Different notions of privacy policy composition
► Algebraic structure and results on composition and refinement operators
► Two-layered policies to specifically deal with enterprise internal policy management
► Treatment of incomplete data in privacy policy evaluation
► Explicit representation of conditions languages (context information)
All these cases together allow for capturing a variety of real-life use cases, i.e., safely changing companies promises with respect to customer requirements while abiding by the law
Summary
top related