This work explores and illustrates an approach to manage (user-side) P3P privacy preferences in a way inspired by a modified role-based access control model.
Management of the things that define our IT environment is quickly becoming a real issue. Part of this is how to manage ones privacy preferences (the policies of the user). It is one thing to establish a first version of ones privacy preferences, it is quite another thing to manage its evolution over time. This work illustrates the use of a role-based model to make management of privacy preferences more transparent.
APPEL(A P3P Preference Exchange Language) is emerging as a standard language for describing collections of preferences regarding P3P policies between P3P agents. Using this language, a user can express her preferences in a set of preference-rules (called a ruleset), which can then be used by her user agent to make automated or semi-automated decisions regarding the acceptability of machine-readable privacy policies from P3P enabled Web sites.
The formal character of the APPEL language provides us with a handle on how to define, refine, and relate different preferences with each other. We introduce a space of preference specifications, consisting of individual rulesets, and structure these in a hierarchical fashion, to represent different preferences for different kinds of accessed sites. The hierarchy of rulesets mimics the hierarchy of roles, as defined in RBAC.
The hierarchical structuring of rulesets captures the user's intended preferences across the sets of sites he can visit. This hierarchy simplifies the definition of new privacy preferences (in terms of new rulesets). On the one hand, new preferences can be defined as controlled modifications of existing preferences. On the other hand, the formal character of the APPEL language enables formal analysis of the hierarchically organised set of preferences. Such formal analysis can be used for diagnostic purposes, e.g. using heuristics to highlight possible problems in the way preferences are defined and related to each other. It can also be used for documentation purposes, to provide a structured description of the state of the set of preferences.
Management of preferences is also simplified by this hierarchical structuring of preferences. When existing preferences are modified, the consequences of proposed modification actions can be evaluated, in terms of whether these effects contradict something already stated, whether they override something that should hold, or whether they are independent of (i.e. consistent with) the existing preference hierarchy. Likewise, when new preferences are defined, the effects of preferences inherited can be highlighted.
This work is exploratory, and illustrative. The aim is to exhibit how P3P and APPEL can be used at a technological level, to illustrate the impact of a management/adminstration point of view, and to offer a practical example of how the existing technologies (P3P and APPEL) can be put to effective use in practice.
Technologically speaking, a demonstration system has been built, that visually illustrates the paradigm underlying this effort. The demonstration system explicitly focuses on the added functionality discussed above, and in order to take advantage of earlier and ongoing work in the area of P3P/APPEL, a set of existing publicly available components are re-used (user agents, preference evaluation engines, SAX/DOM tools, etc.) This approach, of reusing existing software has the negative effect that certain kinds of functionality is not easily demonstrable, as existing software components do not provide, in an practical and usable way, access to certain "low level functions".
The focus of the work has been to build a tool for management of privacy preferences expressed in APPEL. This tool, an administration tool, is not closely coupled to the user agent. The user agent is a separate tool, only related to the administration tool in terms of shared information, shared in a loosely coupled manner. But in order to demonstrate and visualise the effects of adminstration of privacy preferences, the user agent needs to be "encapsulated" in a way that enables a (admittedly not completely seamless) demonstration of the effects of management of preferences.
|
This activity was partly supported by grant IST-2000-28767 from the European Union's Information Society Programme to the Question How project |