Скачать презентацию Privacy Policy Management October 11 2007 Privacy Policy Скачать презентацию Privacy Policy Management October 11 2007 Privacy Policy

212c3be6361618c72aa35e3635b7a01d.ppt

  • Количество слайдов: 15

Privacy Policy Management October 11, 2007 Privacy Policy, Law and Technology • Carnegie Mellon Privacy Policy Management October 11, 2007 Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http: //cups. cmu. edu/courses/privpolawtech-fa 07/ 1

Privacy & security policy management n http: //projects. cerias. purdue. edu/ocrproj/ n Today many Privacy & security policy management n http: //projects. cerias. purdue. edu/ocrproj/ n Today many organizations have ad hoc policies • Difficult to enforce reliably n Policy management frameworks promote consistent policy enforcement n Components • • • Policy authoring Policy conflict/gap detection/resolution Policy enforcement Policy communication Policy composition and comparison (combining multiple policies) Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http: //cups. cmu. edu/courses/privpolawtech-fa 07/ 2

Privacy languages serve many roles n Specify organization’s privacy policy to end users and Privacy languages serve many roles n Specify organization’s privacy policy to end users and their agents n Specify users’ privacy preferences to users’ agent n Specify organization’s privacy policy to gatekeeper server that can approve or deny requests to access database n Specify policy associated with particular data elements to parties that buy or rent data Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http: //cups. cmu. edu/courses/privpolawtech-fa 07/ 3

Can one privacy language do it all? n Maybe… n But so far none Can one privacy language do it all? n Maybe… n But so far none have emerged n We’ve found over a dozen privacy languages (including several access control and rule languages used for privacy applications) n Languages have different audiences, specify policies at different levels of granularity, and have different strengths and weaknesses Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http: //cups. cmu. edu/courses/privpolawtech-fa 07/ 4

Privacy Languages n A P 3 P Preference Exchange Language (APPEL) n Alliance Identity Privacy Languages n A P 3 P Preference Exchange Language (APPEL) n Alliance Identity - Web Services Framework (ID - WSF) n Customer Profile Exchange (CPExchange) n Declarative Privacy Authorization Language (DPAL) n Enterprise Privacy Authorization Language (EPAL) n e. Xtensible Access Control Markup Language (XACML) n GEOPRIV n Platform for Enterprise Privacy Practices (E-P 3 P) n Platform for Privacy Preferences (P 3 P) n Privacy Rights Markup Language (PRML) n Privacy Template n Security Assertion Markup Language (SAML) n XML Access Control Language (XACL) n X-Path Based Preference Langauage (XPref) Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http: //cups. cmu. edu/courses/privpolawtech-fa 07/ 5

Genealogy of languages Privacy Policy, Law and Technology • Carnegie Mellon University • Fall Genealogy of languages Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http: //cups. cmu. edu/courses/privpolawtech-fa 07/ 6

EPAL n Enterprise Privacy Authorization Language n Developed by IBM, submitted to W 3 EPAL n Enterprise Privacy Authorization Language n Developed by IBM, submitted to W 3 C n Allows enterprises to develop granular rules to check whether data access is authorized n Similar to P 3 P syntax but not identical n Includes • • • Data-categories User-categories - administrators, doctors, etc. Purposes Actions - disclose, read, etc. Obligations - delete after 30 days, get consent, etc. Conditions - user category = doctor n Allow and deny rules http: //www. w 3. org/Submission/2003/SUBM-EPAL-20031110/ Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http: //cups. cmu. edu/courses/privpolawtech-fa 07/ 7

User privacy preferences n P 3 P 1. 0 agents may (optionally) take action User privacy preferences n P 3 P 1. 0 agents may (optionally) take action based on user preferences • Users should not have to trust privacy defaults set by software vendors • User agents that can read APPEL (A P 3 P Preference Exchange Language) files can offer users a number of canned choices developed by trusted organizations • Preference editors allow users to adapt existing preferences to suit own tastes, or create new preferences from scratch • For more info on APPEL see http: //www. w 3. org/TR/WD -P 3 P-preferences or Chapter 13 in Web Privacy with P 3 P Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http: //cups. cmu. edu/courses/privpolawtech-fa 07/ 8

Microsoft privacy template language n See Appendix D of Web Privacy with P 3 Microsoft privacy template language n See Appendix D of Web Privacy with P 3 P • http: //msdn. microsoft. com/library/default. asp? url=/workshop/secur ity/privacy/overview/privacyimportxml. asp n Specifies rules for user agents to handle various types of cookies n Based on P 3 P compact policy tokens n Allows policies for specific web sites Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http: //cups. cmu. edu/courses/privpolawtech-fa 07/ 9

Microsoft example

Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http: //cups. cmu. edu/courses/privpolawtech-fa 07/ 10

APPEL rule pattern

description

connective

- or - and

- non-or

- non-and

- and-exact

- or-exact

Behavior - request - block - limited Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http: //cups. cmu. edu/courses/privpolawtech-fa 07/ 11

What does this APPEL ruleset do?

Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http: //cups. cmu. edu/courses/privpolawtech-fa 07/ 12

Creating APPEL rule sets n Express your personal privacy preferences in English • Example: Creating APPEL rule sets n Express your personal privacy preferences in English • Example: "I don't want companies to share my data. " n Translate your rules into P 3 P vocabulary elements • Example: "RECIPIENT=ours" n Create an APPEL ruleset that represents your privacy preference rules (plus a catchall rule) Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http: //cups. cmu. edu/courses/privpolawtech-fa 07/ 13

Using APPEL to analyze P 3 P policies n Toolkit for Automated Privacy Policy Using APPEL to analyze P 3 P policies n Toolkit for Automated Privacy Policy Analysis (TAPPA) n http: //cups. cmu. edu/tappa/ Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http: //cups. cmu. edu/courses/privpolawtech-fa 07/ 14

Homework 3 Discussion n http: //cups. cmu. edu/courses/privpolawte ch-fa 07/hw/hw 3. html n Web Homework 3 Discussion n http: //cups. cmu. edu/courses/privpolawte ch-fa 07/hw/hw 3. html n Web bugs - What are they used for? Do these uses raise privacy concerns? n P 3 P user agent critiques Privacy Policy, Law and Technology • Carnegie Mellon University • Fall 2007 • Lorrie Cranor • http: //cups. cmu. edu/courses/privpolawtech-fa 07/ 15