PPMLP: A Special Modeling Language Processor for Privacy Policies

Weider D. Yu Savitha Murthy

Computer Engineering DepartmentSan Jose State University

San Jose(Silicon Valley), California, USA, 95192-0180Email. Weider. Yuisisu. edu

Abstract

In today's age of information technology, there is anincreasing concernfor theprivacy ofan individual's recordsstored on computers. The Internet and securityvulnerabilities provide an opportunity for hackers to misuseinformation. The level of an individual's trust for anorganization can be ensured or influenced by theorganization's Privacy Policy. Privacy has become aconcern only recently and hence, creating well documentedand comprehensive organizational Privacy Policies stillremains a challenge. The paper presents results on a specialPrivacy Policy Modeling Language Processor (PPMLP)based on Service Oriented Architecture (SOA) for anorganization to model the structure and contents ofPrivatePolicy they want through a meta type of Privacy PolicySpecifications.

1. Introduction

In today's world of information technology, there havebeen increasing concerns for avoiding disclose and misuse ofpersonal information by protecting the privacy ofindividual's data. Organizations are trying to ensure properuse of personal information by enforcing organizationalprivacy policies. Formulating these organizational privacypolicies can become a hard task. In a complex businesssituation, rules can always be overlooked giving anadvantage to people who want to misuse information.

The paper describes the research work on a specialmodeling language and the language processor constructedusing Service Oriented Architecture (SOA) orientedplatform for an organization to model the structure andcontents of a Private Policy and to further develop its naturallanguage and machine readable forms. The architecture ofthe modeling language processor defines the infrastructureand the means of creating an organizational Privacy PolicyTemplate. The template is created based on a meta version ofPrivacy Policy Specification written in XML giving theoutlines and contents of the Privacy Policy.

The templates are then parsed and checked using thePrivacy Policy grammar. Also, the contents of the templatesare verified against privacy principles to ensure theircompleteness. The template words used in the Privacy PolicyTemplates can then be replaced with actual data to formformal natural language privacy policies. Once the policytemplates are generated, creating complete natural languagepolicies require minimal user's input and processing time.The Enterprise Privacy Authorization Language (EPAL)syntax tree data generated by the Privacy Policy TemplateProcessor can then be translated into machine readableformat so that it can be an input to the policy enforcementengines.

Privacy Policy Template created by an organization, ifmade public, can be reused or referenced by otherorganizations. The architecture framework makes it possibleto divide the task of creating organizational privacy policiesinto several phases and make the artifacts generated duringthese phases reusable.

The following section contains a brief description of therelated work this research was built upon. The concepts anddefinition knowledge used are explained in Section 2. Section3 describes the proposed architecture for formulatingorganizational privacy policies, its goals and, the architecturalcomponents. The functionality ofthe proposed architecture isdescribed in Section 4. Section 5 consists of a description ofthe prototype system to evaluate the proposed PPMLParchitecture, followed by conclusions in Section 6.

2. Background and related technologies

2.1. SPARCLEA prototype called "SPARCLE" was implemented by

Brodie, Karat and Feng (Brodie et. Al., 2005) [5]. The focusof their research is to aid the creation of natural languagepolicy, to represent the natural language policy in a structuralform for ease of verification and to translate the naturallanguage policy into a machine readable format like EPAL.The SPARCLE prototype [9] requires the author to enter theprivacy rules manually. The privacy rules are then convertedinto machine readable form such as EPAL [4].

1-4244-1521-7/07/$25.00 ©2007 IEEE851

2.2. Privacy Policy Checker (Privacy Principles)The Privacy Policy Checker [15] (PPC) defines privacy

principles that can be used to evaluate Web applications andthe corresponding privacy statements from the customer'sperspective. The PPC assigns a compliance rating to a Webapplication based on the points given by the customer to thedifferent principles based on his/her interest. The privacyprinciples as specified by the National Privacy Principles[13] are listed in Table 1. The PPMLP makes use of theprivacy principles to evaluate the generated Privacy PolicyTemplates from the organizational perspective. The privacyprinciples are evaluated based on the guidelines given byGenerally Accepted Privacy Principles [7].

Table 1 - Privacy Principles

Principle DescriptionCollection An organization must collect

information only ifneeded and ina lawful manner after disclosingits identity and consequences ofinformation release to the user.

Use and An organization must not use or

disclosure disclose personal information toothers for reasons other than thepurpose for which theinformation is collected.

Data quality An organization must takereasonable steps to make sure

that the personal information itcollects uses or discloses isaccurate.

Data security An organization must takereasonable steps to protect thepersonal information it holdsfrom misuse, modification or

disclosure from unauthorizedaccess and also destroy unusedpersonal information.

Openness An organization must set out an

easily accessible document thatclearly expresses policies on itsmanagement of personalinformation.

Access and If an organization holds personalcorrection information about an individual,

it must provide the individualwith access to the information on

request by the individual as per

rules and also it cannot providereasons.

Identifiers An organization must not adoptas its own identifier of anindividual that has been assignedby: an agency; or an agent ofagency acting in its capacity as

agent; or a contracted serviceprovider.

2.3. EPALEPAL [4] is a formal language for writing enterprise

privacy policies. EPAL is aXML based language that enablesthe formulation of privacy rules which govern the handling ofdata within enterprises. Privacy policies can be exchanged ina structured format between applications or enterprises usingEPAL. Every EPAL policy contains data categories, user

categories, purposes, actions, obligations and conditions.Data categories are classified information that is being used.User categories are the entities that use the information.Purposes are the services for which the information is used.Actions define the way the information is used. Obligationsare the actions that must be performed after the rule has beenexecuted. Conditions are the Boolean expressions that have tobe satisfied for the rule to be executed.

Defining an EPAL policy has two aspects: one isdefining the EPAL vocabulary and, the other is defining theEPAL policy itself. EPAL vocabulary defines all the elementsthat are later referenced in rules defined in the EPAL policy.Any system interpreting an EPAL policy must be aware oftheterms defined in it. As the name suggests, an EPALvocabulary defines these terms also defines the data that maybe needed to evaluate conditions specified in the EPALpolicy. EPAL vocabulary enhances the flexibility of definingEPAL policies. An EPAL vocabulary defines the user

category, data category, purpose, action and the containerelements. The container defines the data attributes that are

required to define conditions in the EPAL policy. The EPALpolicy defines conditions and corresponding rules. Theconditions are specified on the container attributes listed inthe vocabulary. The conditions have to be satisfied for thecorresponding rules to be evaluated.

852

Anonymity Wherever it is lawful andpracticable, individuals musthave the option ofnot identifyingthemselves when enteringtransactions with anorganization.

Transborder An organization in an externaldata flows Territory may transfer personal

information about an individualto someone who is in a foreigncountry with individual consentto transfer.

Sensitive An organization must not collectinformation sensitive information about an

individual unless the individualhas consented or the collection isrequired by law; or the collectionis necessary to prevent or lessena serious and imminent threat tothe life or health of anyindividual.

PPMLP at Web Server

II

L L -I

Client

Figure 1 - Privacy Policy Modeling Language Processor architecture

3. Architecture for Privacy Policy ModelingLanguage Processor

The Privacy Policy Modeling Language Processor(PPMLP) architecture proposes a solution to theorganizational issues of generating Privacy Policies. Thearchitecture diagram ofPPMLP is shown in Figure 1.

3.1. Architectural goalThe goals of Privacy Policy Modeling Language

Processor are:

* To aid the creation of organizational Privacy PolicyTemplates and provide help and suggestions from a

knowledge base.* To ensure that the Privacy Policies generated by

organizations comply with the Privacy PolicyPrinciples.

* To enable automatic enforcement of theorganizational Privacy Policies by converting thePrivacy Policies from natural language based to EPALbased.

* To ease the overall effort by defining a grammar thatenables modeling of organizational Privacy Policies.

3.2. PPMLP componentsThe components of the Privacy

Language Processor as shown in Figure 1

Policy Modelingare:

3.2.1. Privacy Policy Template Processor (PPTP). PPTP isthe main functional component of the architecture. Thiscomponent of the PPMLP requires a Privacy PolicySpecification file from the client user. The meta PrivacyPolicy Specification must be defined by a higher authoritywith a good knowledge of the business domain and privacypolicies. The Privacy Policy Specification contains therequired sections in the privacy policy and their titles.Formatting information for generating printable documents isspecified in the meta Privacy Policy Specification file.

The Privacy Policy Template Processor reads in thePrivacy Policy Specification file and maps the user input tothe section titles specified in the format file. The PPTP parses

the user input based on a set of Privacy Policy Grammarrules. During the process of parsing, the PPTP validates thestructure of the privacy policy statements. It also builds a

syntax tree for the various EPAL constructs required forconversion. The PPTP also checks the compliance of thePrivacy Policy with the Privacy Policy Principles.

853

7 Client

L7-

The PPTP generates a Privacy Policy Template file andPrivacy compliance suggestions that can viewed at the clientuser side. The Privacy Policy Template file contains themapping between the section titles specified in the PrivacyPolicy Specification file and the user data (privacy policystatements). Additionally, a Privacy Policy Format file isgenerated that contains the formatting information that isrequired to generate a printable policy document. The formatfile is internal to PPMLP. The formatting information isspecified in the TROFF notation [1].

3.2.2. Natural Language Processor. The Natural LanguageProcessor parses the natural language sentences. The PPTPuses this component to recognize various natural languageconstructs [6] that are required to translate the naturallanguage Privacy Policy into the corresponding EPALpolicy.

3.2.3. Natural Language Policy Generator. Thiscomponent converts the Privacy Policy Template data fileinto a complete natural language based Privacy Policy. TheNatural Language Policy Generator reads in the PrivacyPolicy Template file and requests input from the client user

for the template words present in the Privacy PolicyTemplate file. It then replaces the template words with thespecific input information from the client user. This featuremakes a Privacy Policy Template reusable.

3.2.4. Formatted Policy Generator. This componentgenerates a printable Privacy Policy document file. TheFormatted Policy Generator reads in the Privacy PolicyFormat file generated by the PPTP and, the correspondingnatural language Privacy Policy generated the NaturalLanguage Privacy Policy Generator. The Formatted PolicyGenerator applies the troff notations in the Privacy PolicyFormat file to the corresponding section data in the naturallanguage Privacy Policy file. It converts the troff notations tothe formatting information that is required for the generationof a particular formatted document in rich text format.

3.2.5. EPAL Translator. The EPAL Translator reads in theEPAL syntax tree created by the PPTP. This componentgenerates an EPAL Privacy Policy file from the informationin the syntax tree. The client user is required to enter data forany missing information in the EPAL syntax tree. The EPALVocabulary and EPAL Policy files generated by the EPALTranslator can be used as input to the enforcement engines toenable automatic policy enforcement. Table 2 summarizesthe input and output of the various PPMLP componentsexplained in this section.

Table 2 - Input and output ofPPMLP components

4. PPMLP functionality

4.1. User interactionThe Privacy Policy Modeling Language Processor

requires four levels of user interaction to provide the requireddata. This division of user interaction prevents fromoverloading a single user with all the tasks of creating an

organizational Privacy Policy.

* First level - The first level of user input is the XMLtype of Privacy Policy Specification file. The varioussection labels that are required in the Privacy Policymust be defined in this file. This file also defines theformatting information for the sections. Thisformatting information is used for the generation of a

printable document.

* Second level - The second level of user input is thepolicy information corresponding to each section labelin the Privacy Policy Specification file. This data isused to generate the Privacy Policy Template file. Thedata can contain template words that act as

placeholders for later completion. The provision fortemplate words enables further customization of thePrivacy Policy Template file.

* Third level - The third level of user input is the datacorresponding to the template words. The templatewords in the Privacy Policy Template file are replacedwith the information entered by the user, and a

complete natural language Privacy Policy file isgenerated.

854

Component Inp ut Out utClient Side Inside To Client Internal

PPMLPPrivacy - Policy - Privacy - EPALPolicy Specification Policy syntax

Template - User input Template tree.Processor - Privacy - Policy

suggestions Format.

Natural Natural NaturalLanguage language languageProcessor sentences tokensFormatted - NL Policy Rich textPolicy - Policy format

Generator Format documentNL Privacy User Input Privacy Natural

Policy Policy LanguageGenerator Template Privacy

PolicyEPAL User Input EPAL EPAL

Translator syntax tree vocabularyand EPALPolicy

* Fourth level - The fourth level user input isrequired for the conversion of the natural languagePrivacy Policy to the corresponding EPAL policy.The PPMLP uses the EPAL syntax tree alreadygenerated by the PPTP component for thegeneration of the EPAL policy.

5. PPMLP prototype implementation

A prototype system has been designed and implementedin the SOA platform to evaluate the solution proposed by thePPMLP architecture. The system has a GUI use interface,which includes three main functional components. Each ofthese components is responsible for generating one or moredocuments mentioned in the previous sections. The GUIinterface consists of three tabs and, each of the tabs providesa user interface for the corresponding functional component.

to develop the Privacy Policy grammar rules [3, 14]. Aportion of the Privacy Policy Grammar rules are shown inFigure 7. The grammar rules use the BNF format [2]. Lex[ 11] and Yacc [8] parser generator tools [12] have been usedto generate parsers for the Privacy Policy Grammar.

Figure 4 - Privacy Policy Template Generation

Figure 3 - GUI prototype for PPMLP architecture

1.2.3.

Privacy Policy Template GenerationNatural Language Policy GenerationEPAL Policy Generation

The following sections discuss each of these functionalcomponents for the tabs in details.

5.1. Privacy Policy Template GenerationThe user provides the name of the Privacy Policy

Specification file and the name of the Privacy PolicyTemplate file to be generated through the GUI tab (shown inFigure 3). The functional block diagram of the PrivacyPolicy Template Generation component is shown in Figure 4.

The Format File Reader parses the Privacy PolicySpecification file and provides the list ofheadings to the GUItab. A sample Meta Privacy Policy Specification file isshown in Figure 5. User is required to enter data for each ofthese headings. The User Input Processor provides the data tothe Privacy Policy Parser for the parsing. The Privacy PolicyParser parses the user input based on the rules specified in thePrivacy Policy Grammar file. Sample policies were studied

During the parsing process, the Privacy Policy Parseralso provides the policy data to the Privacy Policy Check andEPAL Translation processes. The Privacy Policy Checkverifies the policy data against the Privacy Principles definedin Section 2.2 and, provides suggestions regarding anymissing information in the policy. The user can then modifythe policy data based on these suggestions. The EPALTranslator generates an EPAL syntax tree, and updates theinformation in the syntax tree with information from thepolicy data relevant for the generation of EPAL Policydocument. The Natural Language Processor performs the taskof identifying various natural language construct, such asnouns, verbs, etc., using link grammar [10].

Figure 5 - Sample Meta Privacy Policy specification

855

Figure 6 - Sample Policy Template as Policy Model

After all the processing of the policy data provided bythe user, the GUI provides the policy data to thePolicyWriter. The PolicyWriter generates the Privacy PolicyTemplate file shown in Figure 6 with the name initiallyprovided by the user as "name.template". The user canprovide template words using the format of "[w..w]" (e.g.[organization]).

5.2. Natural Language Policy GenerationThe Natural Language Policy (NLP) Generation

component is invoked by choosing the Natural LanguagePrivacy Policy Generation Tab in the GUI shown in Figure 3.It scans the Privacy Policy Template file, and the user isrequired to input data for all the template words embedded inthe Privacy Policy Template. This component generates acomplete Natural Language Privacy Policy file with thename entered by the user initially as "name.nl" shown inFigure 8.

Figure 7 - Portion of Privacy Policy Grammar

856

that is, Tpp = Tpt + Tnl + Tepal

The time required to create the privacy policy using thePPMLP is almost half the time required to create the policymanually. The time required for the initial phase, which is thepolicy template generation phase, is comparable with themanual policy template generation. This is because thePPMLP parses a Privacy Policy Specification file initially,and also, natural language processing and evaluationconsume some amount of time resulting in the delay. Oncethe policy template is generated, the natural language policyand EPAL policy generation time is very minimal, that is, T.,+ Tepal, which is very less as shown in Figure 9 and Table 3.

Figure 8 - Sample Natural Language Policy

5.3. EPAL Policy Generation componentThe EPAL Policy Generation component traverses the

EPAL syntax tree constructed during the Privacy PolicyTemplate Generation phase. Most of the informationrequired for the generation of the EPAL document is alreadyavailable in the syntax tree. Additional information requiredfor the EPAL Policy generation is obtained by choosing theEPAL.

5.4. Prototype evaluationThe time required for different phases of policy

generation are listed in Table 3. The chart in Figure 9 showsthe comparison of times for manual policy generation andpolicy generation using the PPMLP system.

Table 3 - Comparison of Policy generation time

Total Privacy Policy Generation Time (Tpp)

= Privacy Policy Template Generation Time (Tpt)+ Natural Lang. Privacy Policy Generation Time (T.,)+ EPAL Policy Generation Time (Tepal)

Policy Generation Time [ EPALNatural Language Policy

50

45

40

35

=300

925az

120

15

10

5-

OManual PPMLP Generated

Figure 9 - Policy generation time

Several users were asked to evaluate the prototype.Figure 10 shows the comparison of ratings for various aspectsof the privacy policy created manually and the one generatedusing the PPMLP. In case of the PPMLP, once the policytemplate is generated, maintainability of the generated policyis high because the policy can be read back in using thegrammar. But this is not the case with the manually generatedpolicy template because the policy has to be read again andany changes must be made manually. Manual changesrequires more time. Also, policy evaluation by the PPMLP -

against the privacy principles - during the templategeneration ensures that the information in the policy iscomplete. Also, every data entered by the user is parsed andvalidated. This assures the correctness of the policy, herebyimproving the integrity of the privacy policy. A good ratingagainst correctness is possible for manual policy generation,with the policy being created by a qualified and experiencedperson. But ensuring completeness is not easy for a manuallygenerated policy because it is likely to have missinginformation in the manual privacy policy. Once the templateis generated using the PPMLP, the template can be read inusing the Privacy Policy Grammar and reused any number oftimes. Hence the reusability of the policy template generatedusing the PPMLP is greater than the policy created manually.

857

Policy Generation TimePhase Manual PPMLP

Generation GenerationPolicy Template(Tpt) 36 hours 24 hours

Natural Language 1 hour 15 minutesPolicy (T.,)EPAL Policy(Tepal) 8 hours 1 hour

Total PolicyGeneration (Tpp) 45 hours 25.25 hours

Policy Management Aspects

10

9

8

- 7-

6

:3

2

1

0Maintainability Reusability Correctness Completeness

[4] Paul Ashley, Satoshi Hada, Gunter Karjoth, Calvin Powers, andMatthias Schunter, "UML Overview of the EPAL Syntax,"Enterprise Privacy Authorization Language (EPAL 1.2), W3C,November, 2003.

[5] Carolyn Brodie, Clarie-Marie Karat, John Karat, and JinjuanFeng (2005, July 6-8), "Usable Security and Privacy: A CaseStudy of Developing Privacy Management Tools," Proc. TheSymposium on Usable Privacy and Security, Carnegie-MellonUniversity, Pittsburgh, Pennsylvania, July 6-8, 2005.

[6] Greg Dixon, Exploring English, 2003. Available at:

[7] Generally Accepted Privacy Prinicples. Available at:

Figure 10 - Comparison of the PPMLP generatedpolicy versus manually created policy

6. Conclusions

With the increasing concem for privacy, there is a needfor organizations to create well defined privacy policies.Complex organization Privacy Policies that comply with theprivacy standards are hard to develop and maintain. Theresearch discussed in this paper helps organizations to createPrivacy Policy Templates for different domains. Help andsuggestions are provided to the user from a knowledge basethat makes the task of creating a Privacy Policy templatefaster and easier. A Privacy Policy Grammar makes itpossible to evaluate the user input during template generationand also, to read in the already created Privacy PolicyTemplate, for reuse or editing. This machine readable featureof Privacy Policy Templates makes the task of maintainingthe policy templates easier.

This PPMLP system and the approach can be useful fororganizations in creating Privacy Policies. The machinereadability of the natural language Privacy Policies can

improve the maintainability of the privacy policies.Additionally, this work can help increase privacy awareness

and interest of customers in privacy policies by summarizingand highlighting the relevant points. This can also help instandardizing privacy policies and improve their readability.

References

[1] Academic Computing Services, Formatting text using Unixtools: NroJf Troff University of California, San Diego,California, October 2003. Accessible at:

[8] Stephen C. Johnson, Yacc - Yet Another Compiler-Compiler,UNIX Programmer's Manual, Bell Laboratories, 1979.Available at:

[9] Clare-Marie Karat, SPARCLE (Server Privacy Architectureand Capability Enablement) policy workbench. Accessible at:

urii y,jinov ationl2.htlIl

[10] John Lafferty, Daniel Sleator, and Davy Temperley, LinkGrammar, 2005. Available at:

[11] M. E. Lesk and E. Schmidt, Lex -A Lexical AnalyzerGenerator. Available at:lex/index.html

[12] John R. Levine, Tony Mason, and Doug Brown, Lex & Yacc,second edition. O'Reilly &Associates, 1992.

[13] National Privacy Principles (extracted from the PrivacyAmendment (Private Sector) Act 2000). Available at:

[14] Phoenix Health Systems, Sample Privacy Policy Template.Accessible at:Privacyorderform.cfm

[15] Weider Yu, Sharanya Doddapaneni, and, Savitha Murthy, "APrivacy Assessment Approach for Service OrientedArchitecture Applications," in Proc. The IEEE InternationalSymposium on Service Oriented System Engineering, October25-27, 2006, Shanghai, China, pp. 67-75.

[2] Alfred V. Aho, Ravi Sethi, Jeffrey D. Ullman, Compilers:Principles, Techniques, and Tools. Addison-Wesley, 1986.

[3] BJC HealthCare, Policy Regarding Protected HealthInformation and Methods to De-Identify Protected HealthInformation, 2002. Accessible at:

19.0.pdf

858

zr-.0_Qcr,C

mw

* Manual Policy