an xpath-based preference language for p3p ibm almaden research center rakesh agrawal jerry kiernan...

An XPath-based Preference An XPath-based Preference Language for P3PLanguage for P3P

IBM Almaden Research CenterIBM Almaden Research Center

Rakesh AgrawalRakesh AgrawalJerry KiernanJerry KiernanRamakrishnan SrikantRamakrishnan SrikantYirong XuYirong Xu

Growing Concern about PrivacyGrowing Concern about Privacy

“Privacy #1 issue in the 21Century” -Wall Street Journal, January 24, 2000

The issues of trust, The issues of trust, privacy and security privacy and security are generally are generally believed to be the believed to be the greatest barriers to greatest barriers to widespread use of widespread use of the Internet for the Internet for commercial commercial purposes.purposes.

What is P3PWhat is P3P

Current privacy policies are written by the lawyers, for the lawyersCurrent privacy policies are written by the lawyers, for the lawyers P3P solves this problem.P3P solves this problem.

– Encodes policies in machine readable format (XML).Encodes policies in machine readable format (XML).– Goal: programatically match privacy policies with user Goal: programatically match privacy policies with user

preferences.preferences.– W3C recommendation (April 2002)W3C recommendation (April 2002)

Need preference language to make this work!Need preference language to make this work!– APPEL: W3C DraftAPPEL: W3C Draft– Unfortunately …Unfortunately …

OutlineOutline

MotivationMotivation Problems with APPELProblems with APPEL Can these problems be fixed?Can these problems be fixed? An XPath-based preference languageAn XPath-based preference language ConclusionConclusion

Context: P3P PoliciesContext: P3P Policies

<POLICY> ... ... <STATEMENT> <PURPOSE><current/><telemarketing/></PURPOSE> <RECIPIENT><ours/><delivery/></RECIPIENT> <RETENTION><indefinitely/></RETENTION> <DATA-GROUP> <DATA ref="#user.name"/> <DATA ref="#user.home-info.telecom.telephone"/> </DATA-GROUP> </STATEMENT> <POLICY>

Jack’s Simple PreferenceJack’s Simple Preference

Only purposes “current” and “pseudo-analysis” are acceptable.Only purposes “current” and “pseudo-analysis” are acceptable. Will use this example to illustrate the problems with APPEL.Will use this example to illustrate the problems with APPEL.

Jack’s First AttemptJack’s First Attempt

<appel:RULESET> <appel:RULE behavior="request"> <POLICY> <STATEMENT> <PURPOSE appel:connective="or-exact"> <current/> <pseudo-analysis/> </PURPOSE> </STATEMENT> </POLICY> </appel:RULE>

<appel:RULE behavior="block"/> <appel:OTHERWISE/> </appel:RULE></appel:RULESET>

The APPEL engine evaluates rule in order

until one fires

APPEL preferences are organized as a list

of rules




Rule head: Specifies the outcome of the rule (request or block)

Rule body: Specifies the structure and content of

matching policies




Strictly access sites which collect personal information for purposes “current” and “pseudo-analysis”

Logical connectives: Govern matching of

subelements

Problem: Policies with Multiple Problem: Policies with Multiple StatementsStatements

<POLICY> ... ... <STATEMENT> <PURPOSE><current/></PURPOSE> … … </STATEMENT>

<STATEMENT> <PURPOSE><telemarketing/></PURPOSE> … … </STATEMENT> … …<POLICY>

This statement will match, and the policy will be accepted.

This statement (tele-marketing) is exactly what Jack tried to avoid by putting “or-exact” in purpose!

Problem: A policy can have multiple statements, some of which may violate the user’s preference

Jack’s Second AttemptJack’s Second Attempt

<appel:RULESET> <appel:RULE behavior="request"> <POLICY> <STATEMENT appel:connective=“and-exact”> … … </STATEMENT> </POLICY> </appel:RULE> … …</appel:RULESET>

Use “and-exact” to ensure that each statement in the

policy satisfies the condition

Problem: The connective applies to the subelements of a STATEMENT, not to all

statements in a policy

Jack’s Second AttemptJack’s Second Attempt

<appel:RULESET> <appel:RULE behavior="request"> <POLICY appel:connective="and-exact"> <STATEMENT> … … </STATEMENT> </POLICY> </appel:RULE> … …</appel:RULESET>

Use “and-exact” to ensure that each statement in the

policy satisfies the condition

Problem: POLICY has Multiple Problem: POLICY has Multiple SubelementsSubelements

<POLICY> <ENTITY> … </ENTITY> <ACCESS> … </ACCESS> <DISPUTES> … </DISPUTES> <REMEDIES> … </REMEDIES> <STATEMENT> … … </STATEMENT> <STATEMENT> … … </STATEMENT> … …<POLICY>

Problem: POLICY has other subelements aside from

STATEMENT

Key Point: Cannot Specify What Key Point: Cannot Specify What is Acceptableis Acceptable

<POLICY> … … <STATEMENTS> <STATEMENT> … … </STATEMENT> <STATEMENT> … … </STATEMENT> </STATEMENTS> … …<POLICY>

There is no STATEMENTS tag in P3P (which could be used to specify a logical

connective)

Jack spends quality time with the Jack spends quality time with the manuals …manuals …

… … figures out he can convert his preference into specifying what figures out he can convert his preference into specifying what is unacceptable.is unacceptable.

Jack’s Third AttemptJack’s Third Attempt

<appel:RULE behavior="block"> <POLICY> <STATEMENT> <PURPOSE appel:connective="or"> <admin/><develop/><tailoring/> <pseudo-decision/><individual-analysis/> <individual-decision/><contact/> <historical/><telemarketing/> <other-purpose/> </PURPOSE> </STATEMENT> </POLICY> </appel:RULE>

Convert positive preferences into negative

preferences

Note: Must enumerate all unacceptable purposes

Problem: Does not block web sites that use extensions

How about a slightly more How about a slightly more complex preference?complex preference?

Purposes “current” and “pseudo-analysis” are acceptable Purpose “individual-analysis” is also acceptable provided the

recipient is “ours”

Negating Logical Expressions…Negating Logical Expressions…

First, have to negate the expression (since we can’t specify what First, have to negate the expression (since we can’t specify what is acceptable).is acceptable).– Forall (current OR … OR ( … AND … ) => acceptForall (current OR … OR ( … AND … ) => accept

Becomes:Becomes:– Exists !(current AND … and ( … OR … ) => blockExists !(current AND … and ( … OR … ) => block

Parse Tree of Expression Parse Tree of Expression

Or

And

Purpose = “current”

Purpose = “pseudo-analysis”

Purpose = “individual-analysis”

Recipient = “ours”

Negated Parse Tree of Negated Parse Tree of Expression Expression

And

Or

Purpose != “current”

Purpose != “pseudo-analysis”

Purpose != “individual-analysis”

Recipient != “ours”

Parse Trees that can be Parse Trees that can be Expressed in APPELExpressed in APPEL

Statementconnective

Purposeconnective

Recipientconnective

current

Individual-analysis

Pseudo-analysis

ours

Logical expressions involving PURPOSE and RECIPIENT that can be

expressed as a single APPEL rule

Cannot express the desired condition as a

single rule

The condition can be expressed as multiple

rules, but the translation is no longer

a simple negation

Translation into APPELTranslation into APPEL

block )ours"" recipient analysis"-individual" purpose

(recipient purpose,

block )analysis"-individual" purpose analysis"-pseudo" purpose

current"" purpose ( purpose

Negations must be translated into enumerations

Recap: Problems With APPELRecap: Problems With APPEL

APPEL rules cannot be used to specify what is acceptable, only APPEL rules cannot be used to specify what is acceptable, only what is unacceptablewhat is unacceptable

Logical expressions involving simple combinations of purpose, Logical expressions involving simple combinations of purpose, recipient and data are hard to expressrecipient and data are hard to express– APPEL logical connectives are tied to the structure of a APPEL logical connectives are tied to the structure of a

policypolicy Writing APPEL preferences is error prone, even for expertsWriting APPEL preferences is error prone, even for experts

– Errors in the APPEL working draftErrors in the APPEL working draft

OutlineOutline

Overview of P3P and APPELOverview of P3P and APPEL Problems with APPELProblems with APPEL Can these problems be fixed?Can these problems be fixed? An XPath-based preference languageAn XPath-based preference language ConclusionConclusion

New OperatorsNew Operators

Enumeration of unacceptable choices Enumeration of unacceptable choices – Can APPEL be fixed by adding new operators?Can APPEL be fixed by adding new operators?

Any-except logical connectiveAny-except logical connective– True if any element in the policy is not listed as a subelement True if any element in the policy is not listed as a subelement

in the rulein the rule

Any-except Operator: Helps for Any-except Operator: Helps for Example 1, but not Example 2Example 1, but not Example 2

<appel:RULE behavior="block"> <POLICY> <STATEMENT> <PURPOSE appel:connective="any-except"> <current/><pseudo-analysis/> </PURPOSE> </STATEMENT> </POLICY> </appel:RULE>

Lists acceptable choices

Preferences involving logical operators over combinations of

purpose, recipient, and data are still a problem

Modify P3P to Fix APPEL?Modify P3P to Fix APPEL?

<appel:RULE behavior="request"> <POLICY> <STATEMENTS appel:connective="or-exact"> <STATEMENT> … … </STATEMENT> <STATEMENT> … … </STATEMENT> </STATEMENTS> </POLICY> </appel:RULE>

Add a STATEMENTS tag to P3P policies to specify acceptable

policies

P3P is a W3C Recommendation and therefore hard to change

Conditions over combinations of PURPOSE, RECIPIENT and DATA

remain hard to express

Summary: Can the problems be Summary: Can the problems be fixed?fixed?

Problems with APPEL are fundamental.Problems with APPEL are fundamental. Problems arise from the design choice to structure APPEL like Problems arise from the design choice to structure APPEL like

P3PP3P Fixing APPEL would essentially mean designing a new Fixing APPEL would essentially mean designing a new

language.language.

OutlineOutline

Overview of P3P and APPELOverview of P3P and APPEL Problems with APPELProblems with APPEL Can these problems be fixed?Can these problems be fixed? An XPath-based preference languageAn XPath-based preference language ConclusionConclusion

Language Design GoalsLanguage Design Goals

At least as expressive as APPELAt least as expressive as APPEL– APPEL designers investigated requirements for a preference APPEL designers investigated requirements for a preference

languagelanguage Use, if possible, an existing languageUse, if possible, an existing language

– P3P is specified in an XML formatP3P is specified in an XML format– XPath is a query language for XMLXPath is a query language for XML– XPath is a W3C Recommendation which is already used in a variety XPath is a W3C Recommendation which is already used in a variety

of available systemsof available systems– Benefits from the rigorous work done on the design of XPath syntax Benefits from the rigorous work done on the design of XPath syntax

and semanticsand semantics

XPrefXPref

Retain APPEL rule headsRetain APPEL rule heads Replace APPEL rule bodies with XPathReplace APPEL rule bodies with XPath

– Using a strict subset of XPath 1.0 necessary for expressing Using a strict subset of XPath 1.0 necessary for expressing preferencespreferences

– Adding the XPath 2.0 “every” quantified expression to Adding the XPath 2.0 “every” quantified expression to simplify expressing positive preferencessimplify expressing positive preferences

Negative Preferences in XPrefNegative Preferences in XPref

<RULESET> <RULE behavior="block“ condition="/POLICY/STATEMENT [ PURPOSE/*[ name(.) = "individual-analysis"] and RECIPIENT/* [ name(.) != "ours"] ]" /> <RULE behavior="request" condition="true"/></RULESET>

Block access to sites where the purpose is “individual-analysis” and the recipient is not “ours”

Positive Preferences in XPrefPositive Preferences in XPref

<RULESET> <RULE behavior="request“ condition="/POLICY [ every $pname in STATEMENT/PURPOSE/* satisfies (name($pname) = "current" or name($pname) = "pseudo-analysis") ]" /> <RULE behavior="block" condition="true"/></RULESET>

Access sites whose purposes for collecting information are strictly “current” or “pseudo-analysis”

Expressive PowerExpressive Power

Algorithm for converting APPEL to XPrefAlgorithm for converting APPEL to XPref

ConclusionConclusion

P3P is currently the only standard for expressing privacy policies P3P is currently the only standard for expressing privacy policies on the webon the web

To be successful, P3P needs a viable preference languageTo be successful, P3P needs a viable preference language XPref solves the problems of APPELXPref solves the problems of APPEL XPref is based upon XPath which is an existing and successful XPref is based upon XPath which is an existing and successful

standardstandard An algorithm which translates XPref into APPEL is given in the An algorithm which translates XPref into APPEL is given in the

paperpaper Next step: make XPref a W3C recommendationNext step: make XPref a W3C recommendation

Policy-Preference MatchingPolicy-Preference Matching

Web ServerBrowser

request policy1

send policy2

request web page if policy conforms to preference

5

policy and user preference3

result of matching4

APPEL Engine

P3P AdoptionP3P Adoption

YearYear Sites posting P3P policies amongSites posting P3P policies among

100 most popular sites100 most popular sites

19981998 45%45%

19991999 85%85%

20002000 97%97%

20012001 99%99%

an xpath-based preference language for p3p ibm almaden research center rakesh agrawal jerry kiernan...

Documents